lattice-attack and 1-bit signatures r s z

5 replies 387 views
orbit777Member
Posts: 9 · Reputation: 92
#1Mar 20, 2018, 09:50 AM
I was checking out this git repo to create 1-bit signatures, but then I ran into a "private-key not found" issue. So, I figured I should dive into the details of 1-bit signature r s z to crack the private key. If anyone has the 1-bit r s z info, it would be great to see that here. I’m trying to prove that 1-bit can solve d. How many 1-bit r s z signatures do I need to tackle this d problem? Please share whatever you have. I’m a student working to demonstrate that 1-bit can indeed solve d. I’m looking for a txt, JSON, or any format of a 1-bit r s z known_bits file.
5 Reply Quote Share
5tack5atsSenior Member
Posts: 142 · Reputation: 897
#2Mar 20, 2018, 03:52 PM
More than it can fit in your RAM.
3 Reply Quote Share
ninja_nodeFull Member
Posts: 89 · Reputation: 647
#3Mar 21, 2018, 07:56 AM
One bit signature doesn't make sense, even for very small elliptic curves, for example p=79, n=67, base=(1,18). Even in that case, it is marked as a 7-bit curve (which could provide something like 6-bit security in practice, because 79 or 67 are much closer to 64 than to 128). If you want to have one-bit values inside a signature, then you expect to have every value equal to exactly zero, or exactly one. This is what a single bit can store, nothing else. Which means, that (r=0,s=0), (r=0,s=1), (r=1,s=0), and (r=1,s=1), are all possible signatures. What do you want to get here? Private keys are in range from 1 to n-1. If n=2 in some very weak curve, then you have a generator, and a point at infinity, and absolutely nothing else. Well, if we assume, that a single bit is not what is stored, but what is known, which would mean 255-bit signatures, then yes, it won't fit in RAM.
3 Reply Quote Share
5tack5atsSenior Member
Posts: 142 · Reputation: 897
#4Mar 21, 2018, 12:35 PM
I assumed OP meant 1 bit biased nonces to solve lattice. If you force s to 1-bit .... nvm was drunk, s-value cannot be forced since r needs to equal kG.x mod n.
3 Reply Quote Share
ColdVaultMember
Posts: 19 · Reputation: 184
#5Mar 22, 2018, 01:13 PM
You cant use Lattice attack for 1 Bit Nonce Bias. It is impossible The Euclidean length of the target error vector actually surpasses the radius of the lattice's Voronoi cell limit (the Gaussian Heuristic) or in simplistic terms in the real the vector which is ur secret key is hidden Noise. In Large Dimensions it is almost impossible amount of noise You need to use Fourier Attack Here is the Discussion of the Topic: https://bitcointalk.org/index.php?topic=5512838.0
4 Reply Quote Share
luckyapeFull Member
Posts: 77 · Reputation: 599
#6Mar 22, 2018, 02:28 PM
The confusion here is probably in the wording. There is no such thing as a useful "1-bit r s z signature" in the way you seem to mean it. r, s, and z are still full size values. What matters for the lattice attack is what you know about the nonce k, not whether the signature text file has some cute 1-bit label on it. If you know the full nonce, one signature is enough. If you know almost all of the nonce, a few signatures can be enough. If you know several fixed MSB/LSB bits across many signatures, lattice can start becoming useful depending on the bit count and signature count. But one known bit per nonce on secp256k1 is basically asking the lattice to find a needle in a needle factory during a power cut. The error term is too large, the dimension gets ugly, and the reduction does not magically turn that into a private key. Also, as ktimes already hinted, you cannot just force s or r into being "1 bit" and expect that to model a real ECDSA weakness. r comes from k*G, and s = k^-1(z + r*d) mod n. If you force k into a tiny range, then yes, the key falls over immediately, but that is not a lattice attack anymore, that is just "your nonce generator is drunk and should not be allowed near cryptography". So if the tool says private key not found, that is probably the correct result. Feed it a realistic test where, say, multiple bits of each nonce are known in the way the tool expects. With one bit, you are not proving "one bit can solve d", you are mostly proving that laptops can be converted into small space heaters.
2 Reply Quote Share

Related topics