https://github.com/daedalus/breakingecdsawithlll

Breaking ECDSA (not so broken) with LLL
https://github.com/daedalus/breakingecdsawithlll

cryptography cve-2024-31497 ecdsa lattice-reduction lll trailofbits

Last synced: 1 day ago
JSON representation

Breaking ECDSA (not so broken) with LLL

• Host: GitHub
• URL: https://github.com/daedalus/breakingecdsawithlll
• Owner: daedalus
• License: mit
• Created: 2020-06-15T20:02:29.000Z (almost 5 years ago)
• Default Branch: master
• Last Pushed: 2025-03-31T00:43:03.000Z (about 1 month ago)
• Last Synced: 2025-03-31T01:25:08.658Z (about 1 month ago)
• Topics: cryptography, cve-2024-31497, ecdsa, lattice-reduction, lll, trailofbits
• Language: Python
• Homepage:
• Size: 36.1 KB
• Stars: 81
• Watchers: 7
• Forks: 25
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE.txt

Awesome Lists containing this project

README

        
![lint_python](https://github.com/daedalus/BreakingECDSAwithLLL/workflows/lint_python/badge.svg)

[![GitHub issues](https://img.shields.io/github/issues/daedalus/BreakingECDSAwithLLL.svg)](https://github.com/daedalus/BreakingECDSAwithLLL/issues)

[![GitHub forks](https://img.shields.io/github/forks/daedalus/BreakingECDSAwithLLL.svg)](https://github.com/daedalus/BreakingECDSAwithLLL/network)

[![GitHub stars](https://img.shields.io/github/stars/daedalus/BreakingECDSAwithLLL.svg)](https://github.com/daedalus/BreakingECDSAwithLLL/stargazers)

# BreakingECDSAwithLLL

Breaking ECDSA (not so broken) with LLL

The main idea behing this attack is the theorem of the great numbers, if you have a crypto funcion and lots of samples (signatures) generated with a private key having a bias in the nonce generation, then they will tend to converge to a single point which happens to be the private key, this is equal to solving the hidden number problem.

And for solving it we employ Lenstra-Lenstra-Lovasz lattice reduction algorithm.

The main counter measure against this kind of attack is using deterministic signatures like Z=H(h||d), where Z is the digest, H is a crypto-secure hash funcion, h the nonce, and d our private key. This is needed in order to have a even distributed, random looking nonce.

Heavily based on previous work

  ```

https://blog.trailofbits.com/2020/06/11/ecdsa-handle-with-care/

https://www.youtube.com/watch?v=6ssTlSSIJQE

  ```

First install dependencies:

  ```

  sudo apt-get install sagemath python3-ecdsa

  ```

Then run:

  ```

  # (Victim) 

  # This will generate 6 weak signatures with a known key, args:(privkey,bits,nonces)

  python3 weak_signature_generator.py e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 176 6 > nonces.csv

  

  # (Attacker) 

  # Will find the private key if LLL converges, args:(bits,nonces)

  python3 crack_weak_ECDSA_nonces_with_LLL.py nonces.csv 176 6 | grep -e e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

  ```

This PoC was referenced in [CVE-2024-31497](https://nvd.nist.gov/vuln/detail/CVE-2024-31497) on 4/16/2024.