Hey everyone, I could use some assistance.
1) I keep running into this error after downloading the program from here. I was trying to check for weak edcsa, but I can't get this tool to work right. Even when I use the example that comes with it and run gen_data.py, it just doesn't cooperate. Is there something specific I need to tweak?
So when I run this:
python3 lattice_attack.py
It shows:
Lattice ECDSA Attack
Loading data from file data.json
Running with 6 bits of k (LSB)
Starting recovery attack (curve SECP256K1)
Constructing matrix
Solving matrix ...
LLL reduction
Traceback (most recent call last):
File "/home/krash/lattack/lattice_attack.py", line 259, in <module>
lattice_attack_cli(arg.f, arg.l)
File "/home/krash/lattack/lattice_attack.py", line 239, in lattice_attack_cli
result = recover_private_key(
File "/home/krash/lattack/lattice_attack.py", line 195, in recover_private_key
res = test_result(lattice, pub_key, curve)
File "/home/krash/lattack/lattice_attack.py", line 93, in test_result
if target_pubkey == ecdsa_lib.privkey_to_pubkey(cand1, curve):
File "/home/krash/lattack/ecdsa_lib.py", line 129, in privkey_to_pubkey
ec.derive_private_key(pv_key_int, ec_backend, backends.default_backend())
File "/usr/lib/python3/dist-packages/cryptography/hazmat/primitives/asymmetric/ec.py", line 332, in derive_private_key
raise TypeError("private_value must be an integer type.")
TypeError: private_value must be an integer type.
What the heck is going on?
2) Also, if I want to put in my own data like (RSZ, hashes), which file do I need to modify?
Help with Lattice Attack Error
8 replies 320 views
matrix_nodeFull Member
Posts: 85 · Reputation: 519
#2May 23, 2017, 07:47 AM
Hello
If you have sage installed this conflict with fpylll integers.
Possible solution is just use int(cand1) and int(cand2) to avoid this.
For second question.
public transtion R,S,Z don't have leaked nonce.
bitlogik lattice attack need leaked nonce min 4 bit with 100 sign pairs.
If you consider you have weak nonce pairs in your R,S,Z you can use sage method from https://github.com/daedalus/BreakingECDSAwithLLL
This one don't need leaked nonce bit but its attack on weak nonce data in R.
SilentBridgeSenior Member
Posts: 124 · Reputation: 827
#3May 23, 2017, 08:19 AM
Did you install the dependencies and follow what's on the readme?
It tells you how to edit the json file with your own information on what you know of your private key and coordinates of the public key, this is why I ask, maybe it's a step you've missed.
Thank you so much. it works now.
however, im just wondering and im doing it correctly because the generated data as shown is the same as the key found.
the generated data of Priv Key is the same as Key Found?
python3 gen_data.py && python3 lattice_attack.py
Preparing Data
Private key to be found (as demo) :
0x416e7cb879e0e2d89aa6ad9e3426bf386a957a1c8f94c7907b528abc8eada15b
Generating 1000 signatures with curve SECP256K1
leaking 6 bits for k (LSB) ...
File data.json written with all data.
----- Lattice ECDSA Attack -----
Loading data from file data.json
Running with 6 bits of k (LSB)
Starting recovery attack (curve SECP256K1)
Constructing matrix
Solving matrix ...
LLL reduction
Key found \o/
0x416e7cb879e0e2d89aa6ad9e3426bf386a957a1c8f94c7907b528abc8eada15b
ah yes..i got that now. just for everyone who is reading this sake (and mine too) , is it enough to just give the public keys without giving the coordinates and the RSZ?
cyberp1x3lFull Member
Posts: 56 · Reputation: 294
#6May 25, 2017, 01:00 PM
from OP maybe the problem is from the python version try to test on a different python version to solve a problem
recommend with python 3.7 try this
SilentBridgeSenior Member
Posts: 124 · Reputation: 827
#7May 25, 2017, 04:25 PM
The public key might be the coordinates already (if it's uncompressed) if it's compressed then you should probably run it through something that can give you both coordinates just to be safe.
Afaik, uncompressed public keys start with hexadecimal 04 (0x04) and compressed public keys start with hexadecimals (02 or 03) as identifiers.
I think your other question about using RSZ was answered also but maybe you could confirm that once you get something going or explain what it is that you're asking.
this was posted back in september 2022. i already figure it out. it was the fpylll library. cant run with sagemath. need to uninstall the sagemath and then fpylll can be use.
Hello. How to find lsb or msb bit leak in lattice attack? Is there a method for this?
Related topics
- Need Help! Funds Gone / Wrong Address 10
- What can I do to fix this Bitcoin Core error? 8
- Twist Attack, Sub-Group Attack and Pollard-Rho Implementation Issues 4
- issues with bitcoin core database read error 2
- Could Innopolis Tech launch a 51% attack on the testnet? 19
- What tools can help build test Bitcoin chains? 2