JFOER
commented
2 months ago HAPPY男孩 @.***
Thank you for your question. We need all the data because we want to make “correct guesses”. In practical attacks, this part can be efficiently handled by leveraging hyper-threading technology to enumerate through different values. The parameter Z mentioned in the paper (and used in the code) is directly related to the number of enumerations. To more conveniently assess the feasibility of our attack in terms of time, we make “correct guesses” each time, calculate the duration, and finally derive the total recovery time by multiplying the average number of guesses by the recovery time for that iteration, divided by the number of threads. This calculation method is actually similar to the approach outlined in reference "Guessing Bits: Improved Lattice Attacks on (EC)DSA with Nonce Leakage"(TCHES2022). Regarding the second question, it not only provided the value of k, but also the private key, because in our code, we ultimately make a comparison with the actual private key stored in the file, and if they match, we output "correct". If you require specific values, you can simply add a code snippet to print the results. In fact, obtaining k is equivalent to obtaining the private key, as the only unknowns in the signature equation are k and the private key, and knowing one allows us to solve for the other.
------------------ 原始邮件 ------------------ 发件人: "JFOER/Lattice-Attacks-on-ECDSA" @.>; 发送时间: 2024年7月16日(星期二) 晚上7:37 @.>; @.***>; 主题: [JFOER/Lattice-Attacks-on-ECDSA] comment (Issue #1)
It wants all the data, what's the point?? Does it serve any purpose other than verifying the k value? The private key does not give any output, it only verifies the given k value with the private key.
— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you are subscribed to this thread.Message ID: @.***>
timucindusunur
It wants all the data, what's the point?? Does it serve any purpose other than verifying the k value? The private key does not give any output, it only verifies the given k value with the private key.