Keys generated

[KrashKrash]

Hi.. I have input the XY coordinates of my public key in gen_data.py

But when I calculated the K Nonce given with the R,S,HASH generated, it does not point to the correct public key.

What might I had miss?

[bitlogik]

I don't know, since you don't share any details about how you calculated. So how did you calculate the public key?

I can see 2 ways to do so :

d is private key. Q public key. (s,r) a valid signature for H, with K nonce.

1) From the private key : s.K - r.d = H (mod n) -> d = ( s.K - H ) . r^-1 (mod n) <- not mod p Q = d.G

2) By public key recovery, you don't need any secret such as K. Recover R as the point where R is a point having r as its x coordinates = r(x) + y (2 possibilities). s.R - r.Q = H.G -> Q = (s.r^-1).R - (H.r^-1).G Since there are 2 R points from a given x, there are 2 public keys recoverable. So the first method is more straightforward if you know K (hence the private key).

[bitlogik]

Also : How do you input a public key in gen_data, as it starts from a private key (compute the publikey from the private generated) ?

[KrashKrash]

I don't know, since you don't share any details about how you calculated. So how did you calculate the public key?

I can see 2 ways to do so :

d is private key. Q public key. (s,r) a valid signature for H, with K nonce.

1. From the private key :
   s.K - r.d = H (mod n)
   -> d = ( s.K - H ) . r^-1 (mod n) <- not mod p
   Q = d.G

2. By public key recovery, you don't need any secret such as K.
   Recover R as the point where R is a point having r as its x coordinates = r(x) + y (2 possibilities).
   s.R - r.Q = H.G
   -> Q = (s.r^-1).R - (H.r^-1).G
   Since there are 2 R points from a given x, there are 2 public keys recoverable. So the first method is more straightforward if you know K (hence the private key).

x= Private Key m= Z or Hash x = (s*k-m)/r

From x to public key where Y is the Public Key and G is the XY coordinate, G= Generator point x= private key Y = G * x

[KrashKrash]

is it possible to print the k_nonce for gen_input.py as well? i know now gen_data.py is possible. but when i tried the same with gen_input, im not sure how to do it correctly that it prints out at the json file.

[bitlogik]

Your equations seem good. Well, for _geninput, it works with partial k values directly (that's the purpose of LatticeAttack after all). From the system studied, the nonce partial value is expected to be 0, for all signatures selected. Because this side channel system reveals (discriminates) only 7 bits when they are all 0. There a data filter selecting only signatures which have a nonce that has its 7 least significant bits set to 0. Known partial k are all set to 0. So we don't know the full value of the nonce, only a HNP can lead to solve the private key. We can't used the simple equations to compute the private key, because we don't know any full nonce. See the EC Dummy PA SPA paper for the details. https://www.sstic.org/media/SSTIC2021/SSTIC-actes/return_of_ecc_dummy_point_additions_simple_power_a/SSTIC2021-Article-return_of_ecc_dummy_point_additions_simple_power_analysis_on_efficient_p-256_implementation-russon.pdf