Title: Private key recovery with 120 bit nonce leakage possible? Post by: stilichovandal on April 26, 2024, 12:59:33 AM Hi,
I have a hypothetical scenario where I know precisely 120 bits (out of 256) of the nonce used to create the signature for a transaction. There is only one transaction available. Is it possible to recover the recover the private key for this? I assume that a lattice attack is not possible as we need more than one signature; what other possible attacks are available in this scenario? Title: Re: Private key recovery with 120 bit nonce leakage possible? Post by: stanner.austin on April 26, 2024, 10:32:45 AM Hello
You can calculate with simple python int(1.03 * 4 / 3 * 256 / 120) Result is 2 min need. Result is tested and can be verify with https://github.com/bitlogik/lattice-attack your self too. Regards, Title: Re: Private key recovery with 120 bit nonce leakage possible? Post by: stilichovandal on April 26, 2024, 12:46:44 PM Hello You can calculate with simple python int(1.03 * 4 / 3 * 256 / 120) Result is 2 min need. Result is tested and can be verify with https://github.com/bitlogik/lattice-attack your self too. Regards, Thank you. Yes, I have seen this, and based on the calculation, I need three signatures for the lattice attack. For the lattice attack to work, I don't need to know the nonce; as long as the bits (120 in this case) are the same for three signatures, it works. However, in my scenario, I know the 120 bits of nonce. Eg. If my nonce is E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F, I know that nonce starts with E036153289470F858562CC4DAA5359?????????????????????????????????? The question is, is it possible to get a private key for this? Title: Re: Private key recovery with 120 bit nonce leakage possible? Post by: jacky19790729 on April 26, 2024, 05:25:13 PM Thank you. Yes, I have seen this, and based on the calculation, I need three signatures for the lattice attack. For the lattice attack to work, I don't need to know the nonce; as long as the bits (120 in this case) are the same for three signatures, it works. However, in my scenario, I know the 120 bits of nonce. Eg. If my nonce is E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F, I know that nonce starts with E036153289470F858562CC4DAA5359?????????????????????????????????? The question is, is it possible to get a private key for this? If you have only one signatures I think the same difficulty as Puzzle #136 but with public key had known Title: Re: Private key recovery with 120 bit nonce leakage possible? Post by: stilichovandal on April 26, 2024, 07:28:51 PM Thank you. Yes, I have seen this, and based on the calculation, I need three signatures for the lattice attack. For the lattice attack to work, I don't need to know the nonce; as long as the bits (120 in this case) are the same for three signatures, it works. However, in my scenario, I know the 120 bits of nonce. Eg. If my nonce is E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F, I know that nonce starts with E036153289470F858562CC4DAA5359?????????????????????????????????? The question is, is it possible to get a private key for this? If you have only one signatures I think the same difficulty as Puzzle #136 but with public key had known I should have been clearer. Yes, I have the signature and associated public key used to sign the message. Title: Re: Private key recovery with 120 bit nonce leakage possible? Post by: cassondracoffee on April 26, 2024, 08:17:46 PM Hello You can calculate with simple python int(1.03 * 4 / 3 * 256 / 120) Result is 2 min need. Result is tested and can be verify with https://github.com/bitlogik/lattice-attack your self too. Regards, Thank you. Yes, I have seen this, and based on the calculation, I need three signatures for the lattice attack. For the lattice attack to work, I don't need to know the nonce; as long as the bits (120 in this case) are the same for three signatures, it works. However, in my scenario, I know the 120 bits of nonce. Eg. If my nonce is E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F, I know that nonce starts with E036153289470F858562CC4DAA5359?????????????????????????????????? The question is, is it possible to get a private key for this? E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F E036153289470F858562CC4DAA5359?????????????????????????????????? Title: Re: Private key recovery with 120 bit nonce leakage possible? Post by: stilichovandal on April 26, 2024, 10:19:14 PM Hello You can calculate with simple python int(1.03 * 4 / 3 * 256 / 120) Result is 2 min need. Result is tested and can be verify with https://github.com/bitlogik/lattice-attack your self too. Regards, Thank you. Yes, I have seen this, and based on the calculation, I need three signatures for the lattice attack. For the lattice attack to work, I don't need to know the nonce; as long as the bits (120 in this case) are the same for three signatures, it works. However, in my scenario, I know the 120 bits of nonce. Eg. If my nonce is E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F, I know that nonce starts with E036153289470F858562CC4DAA5359?????????????????????????????????? The question is, is it possible to get a private key for this? E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F E036153289470F858562CC4DAA5359?????????????????????????????????? not possible to calculate it from the x value ie r.. I have generated r myself and hence I know the actual nonce. |