Re: Private key recovery with 120 bit nonce leakage possible?
Hello
You can calculate with simple python
int(1.03 * 4 / 3 * 256 / 120)
Result is 2 min need.
Result is tested and can be verify with https://github.com/bitlogik/lattice-attack your self too.
Regards,
You can calculate with simple python
int(1.03 * 4 / 3 * 256 / 120)
Result is 2 min need.
Result is tested and can be verify with https://github.com/bitlogik/lattice-attack your self too.
Regards,
Thank you. Yes, I have seen this, and based on the calculation, I need three signatures for the lattice attack.
For the lattice attack to work, I don't need to know the nonce; as long as the bits (120 in this case) are the same for three signatures, it works.
However, in my scenario, I know the 120 bits of nonce.
Eg.
If my nonce is
E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F, I know that nonce starts with E036153289470F858562CC4DAA5359?
The question is, is it possible to get a private key for this?