is anyone able to create a video for the lattice-attack project?
what exactly is data.json and how can I generate it?
how can I run this without encountering any errors?
here's the link to the git repo: https://github.com/bitlogik/lattice-attack
if you could send the video to my email: thinkeasy123@protonmail.com or upload it to YouTube and drop the link, that would be awesome.
All question you asked already answered on the repository.
From https://github.com/bitlogik/lattice-attack#use, data.json contain some information needed to perform lattice attack.
You can either make it manually or use gen_data.py
You need to specify what kind of error you encountered. Have you fulfilled requirements which mentioned at https://github.com/bitlogik/lattice-attack#requirements?
Some problems with install fpylll
Developer using Ubuntu >= 20.04
So try on Ubuntu 20.04
pip install git+https://github.com/bitlogik/lattice-attack
pip install git+https://github.com/fplll/fpylll.git
All command try installs not successful both on os windows and Linux
using conda not successful too
conda install -c conda-forge fpylll
all methods include update apt too
sudo add-apt-repository universe
sudo apt update
sudo apt install python3-fpylll
pip install Cython
all fail
There might be problem with your Ubuntu 20.04 or library's setup.py. I tried it on Debian 11 (inside VM) and could run the library without any problem.
This is the output.
just random idea
if can modify lattice-attack or cam switch from weak nonce to calculate weak private key may be possible to use solve puzzle 120-160 bit
I mean lattice-attack can solve weak nonce 128 bit and 256 bit private key
if can modify to change calculate strong nonce but weak private key meybe can use for solve 120 bit puzzle
but 120 bit puzzle have only R and S one set only
It is possible, but there is only one problem: you need two signatures. And you need two random signatures, not just two any signatures. Lattice is not that deterministic, you cannot use N and N-1 as your 120-bit nonce. I tried solving this Taproot testnet puzzle transaction: 448b81b2b3c2c8558d268e4f515ff38eb6367d156babbc3733a14834a5a6e7b0. My conclusion is: even for small keys (like 8-bit key) it is not so deterministic. You need a sufficiently random and weak key, you cannot just use any key.
right it requires two sign for calculate
I would like to try to check weak nonce from key generate
if know private key how to calculate to know nonce in python
Just use your public key as R-value in your signature.
Final signature:
Edit: Final equations:
If you know k, you can get d. If you know d, you can get k. It is a pair of connected numbers.
Yes. But you can always use fake outgoing transaction and choose some z-value, where you don't know any matching transaction. For some attacks, this approach is also useful, even if you don't know any transaction that can use your signature. In lattice attacks, you can use any z-value, you don't care about transactions, because restoring keys is the only thing you can do in such attack, so fake z-value is also useful.
Realy ? Generate someonevfakecrsz please forvwalid bupkey, and for ex valid s... For crack aftervthis sighnatures ? Original rsz is 99% imposible to crack because different lenght if r,s,z - from x...to ..y for 1 pubkey etc...
No problem. There are fake r,s,z values for the public key from the Genesis Block:
Those signatures are only fake, because there is no known transaction that can be hashed to any of this z-value. That's the only reason, but from lattice point of view, they are as good as any real signatures, there is no difference in this attack, because knowing relations between nonces or some bits of private keys or nonces is more important than having a real signature.
So, if you want to break for example puzzle 120, you don't need two real weak signatures. You need two any weak signatures, that are valid from ECDSA point of view, and that will pass lattice attack (because you cannot use for example N and N-1, they are too close and if one signature will be a tweaked version of another one, it will obviously not work). You don't need any real transaction that can be hashed to z-value, because after breaking the private key, you could make it and sign it from scratch.
I try to learn and understand math
Did I understand correctly?
this script method use leak nonce that generates to recover private key right?
script it not use way collect data from all data from signature with?
this lattice-attack use only one signature with leak 8-bit leak nonce to calculate correctly?
just loop search from 1000 signature until found one can calculate