lattice-attack || how to run it error-free

19 replies 122 views
Posts: 17 · Reputation: 214
#1Mar 10, 2020, 04:36 PM
is anyone able to create a video for the lattice-attack project? what exactly is data.json and how can I generate it? how can I run this without encountering any errors? here's the link to the git repo: https://github.com/bitlogik/lattice-attack if you could send the video to my email: thinkeasy123@protonmail.com or upload it to YouTube and drop the link, that would be awesome.
3 Reply Quote Share
hash_bossLegendary
Posts: 1166 · Reputation: 5261
#2Mar 10, 2020, 08:23 PM
All question you asked already answered on the repository. From https://github.com/bitlogik/lattice-attack#use, data.json contain some information needed to perform lattice attack. You can either make it manually or use gen_data.py You need to specify what kind of error you encountered. Have you fulfilled requirements which mentioned at https://github.com/bitlogik/lattice-attack#requirements?
6 Reply Quote Share
C4lmNinjaMember
Posts: 13 · Reputation: 144
#3Mar 12, 2020, 02:21 AM
Some problems with install fpylll Developer using Ubuntu >= 20.04 So try on Ubuntu 20.04 pip install git+https://github.com/bitlogik/lattice-attack pip install git+https://github.com/fplll/fpylll.git All command try installs not successful both on os windows and Linux using conda not successful too conda install -c conda-forge fpylll all methods include update apt too sudo add-apt-repository universe sudo apt update sudo apt install python3-fpylll pip install Cython all fail
0 Reply Quote Share
hash_bossLegendary
Posts: 1166 · Reputation: 5261
#4Mar 12, 2020, 07:13 AM
There might be problem with your Ubuntu 20.04 or library's setup.py. I tried it on Debian 11 (inside VM) and could run the library without any problem. This is the output.
2 Reply Quote Share
C4lmNinjaMember
Posts: 13 · Reputation: 144
#5Mar 12, 2020, 01:02 PM
Thank you ETFbitcoin I do a quick test on Debian in WSL2  windows, it is works I got same result run on Debian no problem
3 Reply Quote Share
C4lmNinjaMember
Posts: 13 · Reputation: 144
#6Mar 12, 2020, 06:14 PM
it is just mathematics research and it needs some leaked information to calculate, can not attack ECDSA that no leak data
3 Reply Quote Share
omega_bearFull Member
Posts: 116 · Reputation: 780
#7Mar 12, 2020, 11:17 PM
Last bit is posible to recovery maybe, or use nonse what probably has msb in zeros....
1 Reply Quote Share
C4lmNinjaMember
Posts: 13 · Reputation: 144
#8Mar 13, 2020, 05:10 AM
just random idea if can modify lattice-attack or cam switch from weak nonce to calculate weak private key may be possible to use solve puzzle 120-160 bit I mean lattice-attack can solve weak nonce 128 bit and 256 bit private key if can modify to change calculate strong nonce but weak private key meybe can use for solve 120 bit puzzle but 120 bit puzzle have only R and S one set only
0 Reply Quote Share
sage777Full Member
Posts: 102 · Reputation: 305
#9Mar 13, 2020, 08:15 AM
It is possible, but there is only one problem: you need two signatures. And you need two random signatures, not just two any signatures. Lattice is not that deterministic, you cannot use N and N-1 as your 120-bit nonce. I tried solving this Taproot testnet puzzle transaction: 448b81b2b3c2c8558d268e4f515ff38eb6367d156babbc3733a14834a5a6e7b0. My conclusion is: even for small keys (like 8-bit key) it is not so deterministic. You need a sufficiently random and weak key, you cannot just use any key.
5 Reply Quote Share
C4lmNinjaMember
Posts: 13 · Reputation: 144
#10Mar 13, 2020, 06:08 PM
right it requires two sign for calculate I would like to try to check weak nonce from key generate if know private key how to calculate to know nonce in python
2 Reply Quote Share
sage777Full Member
Posts: 102 · Reputation: 305
#11Mar 13, 2020, 11:50 PM
Just use your public key as R-value in your signature. Final signature: Edit: Final equations: If you know k, you can get d. If you know d, you can get k. It is a pair of connected numbers.
2 Reply Quote Share
C4lmNinjaMember
Posts: 13 · Reputation: 144
#12Mar 14, 2020, 02:41 AM
I try use this calculate puzzle #115 but it now work Can you help to samplecalculate puzzle #115
4 Reply Quote Share
sage777Full Member
Posts: 102 · Reputation: 305
#13Mar 14, 2020, 08:14 AM
So, let's see: First signature: Second signature:
0 Reply Quote Share
C4lmNinjaMember
Posts: 13 · Reputation: 144
#14Mar 14, 2020, 10:38 AM
Thank you garlonicon I try to understand math (still stuck with calculate by manual step by step)
3 Reply Quote Share
omega_bearFull Member
Posts: 116 · Reputation: 780
#15Mar 15, 2020, 04:14 AM
R,s,z   is only for outgoing transaction !!!
2 Reply Quote Share
sage777Full Member
Posts: 102 · Reputation: 305
#16Mar 15, 2020, 06:50 AM
Yes. But you can always use fake outgoing transaction and choose some z-value, where you don't know any matching transaction. For some attacks, this approach is also useful, even if you don't know any transaction that can use your signature. In lattice attacks, you can use any z-value, you don't care about transactions, because restoring keys is the only thing you can do in such attack, so fake z-value is also useful.
0 Reply Quote Share
CalmDefiMember
Posts: 22 · Reputation: 245
#17Mar 15, 2020, 08:24 AM
don't we use secp256k1 this is r1
3 Reply Quote Share
omega_bearFull Member
Posts: 116 · Reputation: 780
#18Mar 15, 2020, 09:08 AM
Realy ? Generate someonevfakecrsz please forvwalid bupkey, and for ex valid s... For crack aftervthis sighnatures ? Original rsz is 99% imposible to crack because different lenght if r,s,z - from x...to ..y for 1 pubkey etc...
5 Reply Quote Share
sage777Full Member
Posts: 102 · Reputation: 305
#19Mar 15, 2020, 09:15 AM
No problem. There are fake r,s,z values for the public key from the Genesis Block: Those signatures are only fake, because there is no known transaction that can be hashed to any of this z-value. That's the only reason, but from lattice point of view, they are as good as any real signatures, there is no difference in this attack, because knowing relations between nonces or some bits of private keys or nonces is more important than having a real signature. So, if you want to break for example puzzle 120, you don't need two real weak signatures. You need two any weak signatures, that are valid from ECDSA point of view, and that will pass lattice attack (because you cannot use for example N and N-1, they are too close and if one signature will be a tweaked version of another one, it will obviously not work). You don't need any real transaction that can be hashed to z-value, because after breaking the private key, you could make it and sign it from scratch.
0 Reply Quote Share
C4lmNinjaMember
Posts: 13 · Reputation: 144
#20Mar 15, 2020, 11:07 AM
I try to learn and understand math Did I understand correctly? this script method use leak nonce that generates to recover private key right? script it not use way collect data from all data from signature with? this lattice-attack use only one signature with leak 8-bit leak nonce to calculate correctly? just loop search from 1000 signature until found one can calculate
3 Reply Quote Share

Related topics