Private key recovery with 120 bit nonce leakage possible?

stilichovandal

jr. member

Activity: 31

Merit: 5

Quote from: cassondracoffee on April 26, 2024, 03:17:46 PM

Quote from: stilichovandal on April 26, 2024, 07:46:44 AM

Quote from: stanner.austin on April 26, 2024, 05:32:45 AM

Hello
You can calculate with simple python
int(1.03 * 4 / 3 * 256 / 120)
Result is 2 min need.

Result is tested and can be verify with https://github.com/bitlogik/lattice-attack your self too.

Regards,

Thank you. Yes, I have seen this, and based on the calculation, I need three signatures for the lattice attack.
For the lattice attack to work, I don't need to know the nonce; as long as the bits (120 in this case) are the same for three signatures, it works.

However, in my scenario, I know the 120 bits of nonce.
Eg.
If my nonce is
E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F, I know that nonce starts with E036153289470F858562CC4DAA5359? Huh

The question is, is it possible to get a private key for this?

How do you calculate E036153289470F858562CC4DAA5359 from E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F .what method you are using to calculate this value?
E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F
E036153289470F858562CC4DAA5359? Huh

not possible to calculate it from the x value ie r.. I have generated r myself and hence I know the actual nonce.

cassondracoffee

newbie

Activity: 16

Merit: 0

Quote from: stilichovandal on April 26, 2024, 07:46:44 AM

Quote from: stanner.austin on April 26, 2024, 05:32:45 AM

Hello
You can calculate with simple python
int(1.03 * 4 / 3 * 256 / 120)
Result is 2 min need.

Result is tested and can be verify with https://github.com/bitlogik/lattice-attack your self too.

Regards,

Thank you. Yes, I have seen this, and based on the calculation, I need three signatures for the lattice attack.
For the lattice attack to work, I don't need to know the nonce; as long as the bits (120 in this case) are the same for three signatures, it works.

However, in my scenario, I know the 120 bits of nonce.
Eg.
If my nonce is
E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F, I know that nonce starts with E036153289470F858562CC4DAA5359? Huh

The question is, is it possible to get a private key for this?

How do you calculate E036153289470F858562CC4DAA5359 from E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F .what method you are using to calculate this value?
E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F
E036153289470F858562CC4DAA5359? Huh

stilichovandal

jr. member

Activity: 31

Merit: 5

Quote from: jacky19790729 on April 26, 2024, 12:25:13 PM

Quote from: stilichovandal on April 26, 2024, 07:46:44 AM

Thank you. Yes, I have seen this, and based on the calculation, I need three signatures for the lattice attack.
For the lattice attack to work, I don't need to know the nonce; as long as the bits (120 in this case) are the same for three signatures, it works.

However, in my scenario, I know the 120 bits of nonce.
Eg.
If my nonce is
E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F, I know that nonce starts with E036153289470F858562CC4DAA5359? Huh

The question is, is it possible to get a private key for this?

If you have only one signatures
I think the same difficulty as Puzzle #136 but with public key had known

I should have been clearer. Yes, I have the signature and associated public key used to sign the message.

jacky19790729

jr. member

Activity: 82

Merit: 8

Quote from: stilichovandal on April 26, 2024, 07:46:44 AM

Thank you. Yes, I have seen this, and based on the calculation, I need three signatures for the lattice attack.
For the lattice attack to work, I don't need to know the nonce; as long as the bits (120 in this case) are the same for three signatures, it works.

However, in my scenario, I know the 120 bits of nonce.
Eg.
If my nonce is
E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F, I know that nonce starts with E036153289470F858562CC4DAA5359? Huh

The question is, is it possible to get a private key for this?

If you have only one signatures
I think the same difficulty as Puzzle #136 but with public key had known

stilichovandal

jr. member

Activity: 31

Merit: 5

Quote from: stanner.austin on April 26, 2024, 05:32:45 AM

Hello
You can calculate with simple python
int(1.03 * 4 / 3 * 256 / 120)
Result is 2 min need.

Result is tested and can be verify with https://github.com/bitlogik/lattice-attack your self too.

Regards,

Thank you. Yes, I have seen this, and based on the calculation, I need three signatures for the lattice attack.
For the lattice attack to work, I don't need to know the nonce; as long as the bits (120 in this case) are the same for three signatures, it works.

However, in my scenario, I know the 120 bits of nonce.
Eg.
If my nonce is
E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F, I know that nonce starts with E036153289470F858562CC4DAA5359? Huh

The question is, is it possible to get a private key for this?

stanner.austin

member

Activity: 69

Merit: 53

Hello
You can calculate with simple python
int(1.03 * 4 / 3 * 256 / 120)
Result is 2 min need.

Result is tested and can be verify with https://github.com/bitlogik/lattice-attack your self too.

Regards,

stilichovandal

jr. member

Activity: 31

Merit: 5

Hi,

I have a hypothetical scenario where I know precisely 120 bits (out of 256) of the nonce used to create the signature for a transaction.

There is only one transaction available.

Is it possible to recover the recover the private key for this?

I assume that a lattice attack is not possible as we need more than one signature; what other possible attacks are available in this scenario?

Topic: Private key recovery with 120 bit nonce leakage possible? (Read 172 times)