Hi, I first want to congratulate you for your work and contribution. For study purposes I implemented in Linux lll-VirtualBox 5.4.0-74-generic #83~18.04.1-Ubuntu SMP Tue May 11 16:01:00 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

It turns out that the first script normally generates the csv containing data.
But the second attack script returns the error below:

lll@lll-VirtualBox:~/BreakingECDSAwithLLL$ python3 crack_weak_ECDSA_nonces_with_LLL.py nonces.csv 176 6 | grep -e 9ec4bc49e828d924af1d1029cacf709431abbde46d59554b62bc270e3b29c4b1
Traceback (most recent call last):
File "crack_weak_ECDSA_nonces_with_LLL.py", line 11, in
from sage.all_cmdline import *
ModuleNotFoundError: No module named 'sage'

Do you have any idea what might be happening and how to solve it? Thanks

hi . does it work in etereum network?

How ro run BKZ mode ?

Thank you.

Good afternoon.
Please tell me in what order the values in the nonce.csv file should go in order for the file crack_weak_ECDSA_nonces_with_LLL.py?
In order for these parameters to be read correctly. R,S,Z or Z,R,S?
And what is "pubs = []"?

buntu@ip-172-31-65-90:~/BreakingECDSAwithLLL$ python3 weak_signature
_generator.py e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991
250 60 >>60.txt

--------------------------------------------

ubuntu@ip-172-31-65-90:~/BreakingECDSAwithLLL$ python3 crack_weak_ECD
SA_nonces_with_LLL.py 60.txt 250 60 | grep -e e3b0c44298fc1c149afbf4c
8996fb92427ae41e4649b934ca495991b7852b855
/usr/lib/python3/dist-packages/apport/report.py:13: DeprecationWarnin
g: the imp module is deprecated in favour of importlib; see the modul
e's documentation for alternative uses
import fnmatch, glob, traceback, errno, sys, atexit, locale, imp, s
tat
Traceback (most recent call last):
File "crack_weak_ECDSA_nonces_with_LLL.py", line 39, in
msgs,sigs,pubs = load_csv(filename)
File "crack_weak_ECDSA_nonces_with_LLL.py", line 32, in load_csv
tx,R,S,Z,pub = l
ValueError: too many values to unpack (expected 5)

How to fix this ?

Thanx

i use web3 js for generate signature , with this code

for (var i=0;i<8;i++){
var a= await web3.eth.accounts.signTransaction({
to: addr[i],
value: valued[i],
gas: 21000,
nonce:686,
gasPrice:gaspriced[i],
chainId: 1,
data:0
}, '0x2EE0C4ED86CC5DAE5F593542783E9BE94E817FDD600903DD7499710175FDC2C6')
console.log(a.r+","+a.s+","+a.transactionHash)

writefile2(("1111,"+a.r+","+a.s+","+a.transactionHash+",0000"));
}

but when i test output with your code it cant find private key

What is a 1111 and 0000 in generated data file ?

1111 mean nonce srart with 1111 or what ?

Thanx.

Good afternoon. How can you know in advance that a signature is vulnerable without calculating the lattice?

Hello.
I have error below on python3.10, what i can do? Thanks.

C:\Users\K\Desktop\BreakingECDSAwithLLL-master>python crack_weak_ECDSA_nonces_with_LLL.py nonces.csv 176 6 grep -e e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Using: 6 sigs...
Traceback (most recent call last):
File "C:\Users\K\Desktop\BreakingECDSAwithLLL-master\crack_weak_ECDSA_nonces_with_LLL.py", line 109, in
main()
File "C:\Users\K\Desktop\BreakingECDSAwithLLL-master\crack_weak_ECDSA_nonces_with_LLL.py", line 97, in main
matrix = make_matrix(msgs, sigs, pubs, B)
File "C:\Users\K\Desktop\BreakingECDSAwithLLL-master\crack_weak_ECDSA_nonces_with_LLL.py", line 43, in make_matrix
matrix = Matrix(QQ, m + 2, m + 2)
NameError: name 'Matrix' is not defined. Did you mean: 'matrix'?

Can you add check founbed secret key's to public key ?

Scrypt generate many private keys but only one can be valid for publick key.

Check all keys manualy is hard task, so this feather can be helpful.

Regards.

Hi Daedalus,

Thanks for the nice python script.
I am trying to add LSB function to the code.

According to Nadia Heninger it is easy to use LSB by shifting the signatures by 2^-L bits.

I did the following in your code:

1. Generate bit shifted nonces:
   nonces = [random.randrange(1, 2**bits) + yubikey_fixed_prefix for i in range(n)]
   nonces_shift = [nonces[i] << 80 & mask for i in range(n)]

2. Shifting sigs in crack.py for a p192- curve and 192 bit length nonces:
   mask = 2 ** 192 - 1
   msgs.append(int(Z,16))
   sigs.append((int((bin(int(R,16) >> 80 & mask)),2),int((bin(int(S,16) >> 80 & mask)),2)))

So doing a left shift in the nonces to get 80-Bits 0s then right shift the sigs 80-bits to get the 0s MSB.

This does not work and the key is wrong.

Maybe you can help me out on this?

thx

File "/home/BreakingECDSAwithLLL/crack_weak_ECDSA_nonces_with_LLL.py", line 28, in load_csv
if n < limit:
TypeError: '<' not supported between instances of 'int' and 'function'

Hi,
I've tried to run your scripts. But it created an empty nonce.csv
I just run the same as you described in the readme

Hi, thanks again for your contribution.
I managed to implement (it really was the installation of sage, referring to the previous topic) thank you very much for the tip.
Now I need some help, I would like to save the "crack_weak_ECDSA_nonces_with_LLL.py" file output in txt or csv, but I can't change the script to do that. It only prints on the terminal... Could you give me a hand? Thanks

Hello @daedalus It happens that some devices generate short Nonces.
Approximately 2 ^ 243-2 ^ 244

Accordingly, if Nonces is short, then it must contain null at the beginning.
That is, the first 3 bits of Nonces contain a leading zero.

Given the known values of the signature [R, S, H (e)], can we determine whether the size of Nonces is short?

Is there a way to find out information about the first 3 bit of Nonces?

@daedalus hello please explain to me, can this program calculate the private key when i have different value of r and k, i have a wallet for bitcoin but the value of r is different, please explain to me

(Attacker)

Will find the private key if LLL converges, args:(bits,nonces)

python3 crack_weak_ECDSA_nonces_with_LLL.py nonces.csv 176 6 | grep -e e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Sorry. what did you input here?

"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" is that the txiD?

Why this code not found privkey ?

thon3 weak_signature
_generator.py e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991
b7852b855 252 252 > nonces111.csv

/BreakingECDSAwithLLL$ python3 crack_weak_ECD
SA_nonces_with_LLL.py nonces111.csv 252 252 | grep -e e3b0c44298fc1c
149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

????

Help me please ?

Regard

Hi Darío! Unfortunately, I cannot run sagemath on python3

from sage.all import * module

but on python2 with the script will work. Tell me what I need to fix in the code in the crack_weak_ECDSA_nonces_with_LLL.py file to run on python2?

hi
how can i find sage.allcmd_line ?
can yo help me?
thanks

I have many problems to install of sagemath and in windows python its unsupported. If u can please make this script without sagemath. I try many AI's but its dont work

hi bro,

I ran a new version that is now up, and the following error occurs:

Please check.

python3 crack_weak_ECDSA_nonces_with_LLL.py nonces.csv 176 6
Using: 6 sigs...
/usr/lib/python3/dist-packages/apport/report.py:13: DeprecationWarning: the imp module is deprecated in favour of importlib; see the module's documentation for alternative uses
import fnmatch, glob, traceback, errno, sys, atexit, locale, imp, stat
Traceback (most recent call last):
File "crack_weak_ECDSA_nonces_with_LLL.py", line 116, in
main()
File "crack_weak_ECDSA_nonces_with_LLL.py", line 104, in main
matrix = make_matrix(msgs,sigs,pubs)
File "crack_weak_ECDSA_nonces_with_LLL.py", line 51, in make_matrix
x0=(sigs[i][0] * modular_inv(sigs[i][1], order)) - rnsn_inv
NameError: name 'rnsn_inv' is not defined

cf) The first version that was uploaded worked well without any problems. Thank you.