Hey guys, I think I stumbled upon something concerning!
I came across an article that claims if there are enough transactions and even a nonce bias of just 1, it could lead to recovering a private Bitcoin key. This survey from Edinburgh Napier University (by William Buchanan and others) discusses how nonce biases, poor nonce selection, or even just one weak bit can allow key recovery using lattice methods like LLL.
So I decided to check my own transactions. With a little help from ChatGPT, I wrote a script based on that research. First, I pulled the RSZ data from my transactions using tools from iceland2k14/rsz and verified everything with 2coins.org/RSZ-Signature-From-Tx. The data looked good.
I converted the RSZ data into binary format, and during my first analysis, I noticed an 8-bit bias over 12 transactions in the upper range (MSG). I dug deeper and had ChatGPT help me run an analysis script based on the study. Turns out, my transactions showed a significant bias, and R was correlating with S and Z. In theory, that means someone could potentially recover my private key.
I also tried using a custom tool made by ChatGPT. Thankfully, I couldn't recover my private key I did find a bunch of addresses, but mine wasn’t included. Still, I’m feeling a bit uneasy about it.
There are plenty of RSZ recovery tools on GitHub, but most need a fully known nonce. Plus, since I already moved my BTC to a new wallet, what tools can actually recover a private key with a bit bias of 4 to 8?
Lattice Attack and Nonce Bias in Transactions
2 replies 406 views
matrix_nodeFull Member
Posts: 85 · Reputation: 519
#2Jun 18, 2024, 01:40 AM
Hi
Technically with 80 sign set of RSZ with just 4 bit known on MSB or LSB can use lattice attack to find target private key in seconds.
Its millions in 1 onc chance.
Only possible and known reason to have this is following.
It can be bug in tool which use to sign transaction which known from long time.
it can be self testing or very old address, old time they don't know much about nonce liner attack or weak nonce.
Regards,
Can you share the article paper link?
I am all ready to try converting the RSZ data to a binary format. No bias leak. Can you share your code because I went to test how your bias code was working?
?Reply
Sign in to reply to this topic
Related topics
- Twist Attack, Sub-Group Attack and Pollard-Rho Implementation Issues 4
- Could Innopolis Tech launch a 51% attack on the testnet? 19
- Looking for 3 examples of r, s, z and nonce data 19
- Potential attack strategy for btc puzzle pool: ttd's pool. 4
- Bitcoin Core displaying coins (UTXOs) in a new tab 13
- Are you in favor of BIP-110? Let's get a Bitcoin poll going. 0