Author

Topic: Private key recovery with 120 bit nonce leakage possible? (Read 167 times)

jr. member
Activity: 28
Merit: 5
Hello
You can calculate with simple python
int(1.03 * 4 / 3 * 256 / 120)
Result is 2 min need.

Result is tested and can be verify with https://github.com/bitlogik/lattice-attack your self too.

Regards,


Thank you. Yes, I have seen this, and based on the calculation, I need three signatures for the lattice attack.
For the lattice attack to work, I don't need to know the nonce; as long as the bits (120 in this case) are the same for three signatures, it works.

However, in my scenario, I know the 120 bits of nonce.
Eg.
If my nonce is
E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F, I know that nonce starts with E036153289470F858562CC4DAA5359?HuhHuhHuhHuhHuhHuhHuhHuhHuhHuhHuh

The question is, is it possible to get a private key for this?
How do you calculate E036153289470F858562CC4DAA5359 from E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F .what method you are using to calculate this value?
E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F
E036153289470F858562CC4DAA5359?HuhHuhHuhHuhHuhHuhHuhHuhHuhHuhHuh





not possible to calculate it from the x value ie r.. I have generated r myself and hence I know the actual nonce.
newbie
Activity: 14
Merit: 0
Hello
You can calculate with simple python
int(1.03 * 4 / 3 * 256 / 120)
Result is 2 min need.

Result is tested and can be verify with https://github.com/bitlogik/lattice-attack your self too.

Regards,


Thank you. Yes, I have seen this, and based on the calculation, I need three signatures for the lattice attack.
For the lattice attack to work, I don't need to know the nonce; as long as the bits (120 in this case) are the same for three signatures, it works.

However, in my scenario, I know the 120 bits of nonce.
Eg.
If my nonce is
E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F, I know that nonce starts with E036153289470F858562CC4DAA5359?HuhHuhHuhHuhHuhHuhHuhHuhHuhHuhHuh

The question is, is it possible to get a private key for this?
How do you calculate E036153289470F858562CC4DAA5359 from E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F .what method you are using to calculate this value?
E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F
E036153289470F858562CC4DAA5359?HuhHuhHuhHuhHuhHuhHuhHuhHuhHuhHuh


jr. member
Activity: 28
Merit: 5
Thank you. Yes, I have seen this, and based on the calculation, I need three signatures for the lattice attack.
For the lattice attack to work, I don't need to know the nonce; as long as the bits (120 in this case) are the same for three signatures, it works.

However, in my scenario, I know the 120 bits of nonce.
Eg.
If my nonce is
E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F, I know that nonce starts with E036153289470F858562CC4DAA5359?HuhHuhHuhHuhHuhHuhHuhHuhHuhHuhHuh

The question is, is it possible to get a private key for this?

If you have only one signatures
I think the same difficulty as Puzzle #136 but with public key had known



I should have been clearer. Yes, I have the signature and associated public key used to sign the message.
jr. member
Activity: 82
Merit: 8
Thank you. Yes, I have seen this, and based on the calculation, I need three signatures for the lattice attack.
For the lattice attack to work, I don't need to know the nonce; as long as the bits (120 in this case) are the same for three signatures, it works.

However, in my scenario, I know the 120 bits of nonce.
Eg.
If my nonce is
E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F, I know that nonce starts with E036153289470F858562CC4DAA5359?HuhHuhHuhHuhHuhHuhHuhHuhHuhHuhHuh

The question is, is it possible to get a private key for this?

If you have only one signatures
I think the same difficulty as Puzzle #136 but with public key had known
jr. member
Activity: 28
Merit: 5
Hello
You can calculate with simple python
int(1.03 * 4 / 3 * 256 / 120)
Result is 2 min need.

Result is tested and can be verify with https://github.com/bitlogik/lattice-attack your self too.

Regards,


Thank you. Yes, I have seen this, and based on the calculation, I need three signatures for the lattice attack.
For the lattice attack to work, I don't need to know the nonce; as long as the bits (120 in this case) are the same for three signatures, it works.

However, in my scenario, I know the 120 bits of nonce.
Eg.
If my nonce is
E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F, I know that nonce starts with E036153289470F858562CC4DAA5359?HuhHuhHuhHuhHuhHuhHuhHuhHuhHuhHuh

The question is, is it possible to get a private key for this?
member
Activity: 69
Merit: 53
Hello
You can calculate with simple python
int(1.03 * 4 / 3 * 256 / 120)
Result is 2 min need.

Result is tested and can be verify with https://github.com/bitlogik/lattice-attack your self too.

Regards,
jr. member
Activity: 28
Merit: 5
Hi,

I have a hypothetical scenario where I know precisely 120 bits (out of 256) of the nonce used to create the signature for a transaction.

There is only one transaction available.


Is it possible to recover the recover the private key for this?

I assume that a lattice attack is not possible as we need more than one signature; what other possible attacks are available in this scenario?
Jump to: