Re: Private key recovery with 120 bit nonce leakage possible?
Thank you. Yes, I have seen this, and based on the calculation, I need three signatures for the lattice attack.
For the lattice attack to work, I don't need to know the nonce; as long as the bits (120 in this case) are the same for three signatures, it works.
However, in my scenario, I know the 120 bits of nonce.
Eg.
If my nonce is
E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F, I know that nonce starts with E036153289470F858562CC4DAA5359?
The question is, is it possible to get a private key for this?
For the lattice attack to work, I don't need to know the nonce; as long as the bits (120 in this case) are the same for three signatures, it works.
However, in my scenario, I know the 120 bits of nonce.
Eg.
If my nonce is
E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F, I know that nonce starts with E036153289470F858562CC4DAA5359?
The question is, is it possible to get a private key for this?
If you have only one signatures
I think the same difficulty as Puzzle #136 but with public key had known
I should have been clearer. Yes, I have the signature and associated public key used to sign the message.