I was checking out this git repo to create 1-bit signatures, but then I ran into a "private-key not found" issue.
So, I figured I should dive into the details of 1-bit signature r s z to crack the private key. If anyone has the 1-bit r s z info, it would be great to see that here. I’m trying to prove that 1-bit can solve d.
How many 1-bit r s z signatures do I need to tackle this d problem? Please share whatever you have. I’m a student working to demonstrate that 1-bit can indeed solve d.
I’m looking for a txt, JSON, or any format of a 1-bit r s z known_bits file.
lattice-attack and 1-bit signatures r s z
5 replies 387 views
More than it can fit in your RAM.
ninja_nodeFull Member
Posts: 89 · Reputation: 647
#3Mar 21, 2018, 07:56 AM
One bit signature doesn't make sense, even for very small elliptic curves, for example p=79, n=67, base=(1,18). Even in that case, it is marked as a 7-bit curve (which could provide something like 6-bit security in practice, because 79 or 67 are much closer to 64 than to 128).
If you want to have one-bit values inside a signature, then you expect to have every value equal to exactly zero, or exactly one. This is what a single bit can store, nothing else. Which means, that (r=0,s=0), (r=0,s=1), (r=1,s=0), and (r=1,s=1), are all possible signatures. What do you want to get here? Private keys are in range from 1 to n-1. If n=2 in some very weak curve, then you have a generator, and a point at infinity, and absolutely nothing else.
Well, if we assume, that a single bit is not what is stored, but what is known, which would mean 255-bit signatures, then yes, it won't fit in RAM.
I assumed OP meant 1 bit biased nonces to solve lattice. If you force s to 1-bit .... nvm was drunk, s-value cannot be forced since r needs to equal kG.x mod n.
You cant use Lattice attack for 1 Bit Nonce Bias. It is impossible
The Euclidean length of the target error vector actually surpasses the radius of the lattice's Voronoi cell limit (the Gaussian Heuristic) or in simplistic terms in the real
the vector which is ur secret key is hidden Noise. In Large Dimensions it is almost impossible amount of noise
You need to use Fourier Attack
Here is the Discussion of the Topic: https://bitcointalk.org/index.php?topic=5512838.0
The confusion here is probably in the wording. There is no such thing as a useful "1-bit r s z signature" in the way you seem to mean it. r, s, and z are still full size values. What matters for the lattice attack is what you know about the nonce k, not whether the signature text file has some cute 1-bit label on it.
If you know the full nonce, one signature is enough. If you know almost all of the nonce, a few signatures can be enough. If you know several fixed MSB/LSB bits across many signatures, lattice can start becoming useful depending on the bit count and signature count. But one known bit per nonce on secp256k1 is basically asking the lattice to find a needle in a needle factory during a power cut. The error term is too large, the dimension gets ugly, and the reduction does not magically turn that into a private key.
Also, as ktimes already hinted, you cannot just force s or r into being "1 bit" and expect that to model a real ECDSA weakness. r comes from k*G, and s = k^-1(z + r*d) mod n. If you force k into a tiny range, then yes, the key falls over immediately, but that is not a lattice attack anymore, that is just "your nonce generator is drunk and should not be allowed near cryptography".
So if the tool says private key not found, that is probably the correct result. Feed it a realistic test where, say, multiple bits of each nonce are known in the way the tool expects. With one bit, you are not proving "one bit can solve d", you are mostly proving that laptops can be converted into small space heaters.
Related topics
- Extracting R values from blockchain signatures 14
- Twist Attack, Sub-Group Attack and Pollard-Rho Implementation Issues 4
- Could Innopolis Tech launch a 51% attack on the testnet? 19
- Potential attack strategy for btc puzzle pool: ttd's pool. 4
- Bitcoin Core displaying coins (UTXOs) in a new tab 13
- Are you in favor of BIP-110? Let's get a Bitcoin poll going. 0