K Nonce - Githubissues

bitlogik / lattice-attack

Lattice ECDSA attack

GNU General Public License v3.0

120 stars 36 forks source link

K Nonce #22

Closed KrashKrash closed 1 year ago

KrashKrash commented 1 year ago

How do I rewrite the code to reveal the K Nonce use in generating the datas in gen_input.py? I tried "print" at the ecdsa.lib it self. Don't work. Tried adding print(f"k_nonce:{k_nonce}") on gen_input.py too. don't work either.

bitlogik commented 1 year ago

If you need to print the values of all nonces for each signatures during the creation process of the demo data, you can :

Add print(f"k_nonce:{k_nonce}") after _knonce variable creation, and before return in _ecdsa_signkout() of ecdsa.lib (L140-141).
Add print(f"k_nonce:{sig_info[2]}") on line 48 in _geninput. Because _ecdsa_signkout() returns r, s, k_nonce. So third element of the tuple _siginfo is the nonce.

Also you can do print("k_nonce :", k_nonce). instead of f-string.

KrashKrash commented 1 year ago

If you need to print the values of all nonces for each signatures during the creation process of the demo data, you can :

Add print(f"k_nonce:{k_nonce}") after _knonce variable creation, and before return in _ecdsa_signkout() of ecdsa.lib (L140-141).

Add print(f"k_nonce:{sig_info[2]}") on line 48 in _geninput. Because _ecdsa_signkout() returns r, s, k_nonce. So third element of the tuple _siginfo is the nonce.

Also you can do print("k_nonce :", k_nonce). instead of f-string.

Ok thank you so much. It works. Thanks again.

KrashKrash commented 1 year ago

If you need to print the values of all nonces for each signatures during the creation process of the demo data, you can :
* Add `print(f"k_nonce:{k_nonce}")` after _k_nonce_ variable creation, and before return in _ecdsa_sign_kout()_ of _ecdsa.lib_ (L140-141).

* Add `print(f"k_nonce:{sig_info[2]}")` on line 48 in _gen_input_. Because  _ecdsa_sign_kout()_ returns r, s, k_nonce. So third element of the tuple _sig_info_ is the nonce.
Also you can do print("k_nonce :", k_nonce). instead of f-string.

i thin you answered for gen_data not gen_input

bitlogik commented 1 year ago

Yes, we talked about _gendata indeed. For _geninput, the k nonces are all selected to have their 7 least significant bits set to 0. So it ends up with kp=0 for all signatures samples selected, and one doesn't know the full value of the nonce. I don't see the point to print zeros. This _geninput is a wonderful demonstration of the LatticeAttack software as it is supposed to work when only a portion of the nonce is known.