1

[ecdsa123]

1

[PrivatePerson]

If "r" starts with 000 - can this be considered a weak upper bit?
How to determine from a transaction that it has weak bits?

[NotATether]

When you say weak bits, you are referring to the ECDSA signature in the DER area?

If so, then you are probably referring to weak keys. It is nonsensical to talk about weak bits individually because all of the bits are processed together, and there is no way to determine a partially (percentage) weak key because the result wouldn't look like a weak key in those cases.

According to the link I just posted, nobody has found any weak keys in ECDSA... yet. The same is not true for RSA, though that only happens when you have insufficient entropy. So just use a large amount of entropy to generate your private keys or seed phrases and you should be fine.

[CrunchyF]

Dears


Did someone of you designed lattice for finding "upper bit" of nonce used in transaction?

I would like to discuss about it.

Code:

signature matches
r,s,z 48689154203859932735178617811990715115458951113100269383364565174585471617161 59488788402984084081847159809764481890644008521609461496494308766936034267606 59079767853462261938702612351887995533770336525476423798454265358689099134317
nonce upper bit 52958707970624021912956063206457566071499734389836203485954119293586656 0000000000000000000001111 True
nonce upper bit 52958707970624021912956063206457566151183141809120411787220724971382566 0000000000000000000001111 True
nonce upper bit 52958707970624021912956063206457566096964448935598356216995353203856658 0000000000000000000001111 True
nonce upper bit 52958707970624021912956063206457566125718427263358259056179491061112564 0000000000000000000001111 True
nonce upper bit 52958707970624021912956063206457566119102316860861579868337547139563925 0000000000000000000001111 True
nonce upper bit 52958707970624021912956063206457566103580559338095035404837297125405297 0000000000000000000001111 True
private key 647321811779000003997549197398845893 115792089237316195423570985008687907852836916957263125382601165592320762648444
real nonce 25790403829687632369718936211412764674628780345318086433686503628591346 115792063446912365735938615289751696440072889650294559064518729455014532902991
bin 0000000000000000000000111

I'm not sure to understand well your question
but for what i look  on the net (and test myself) about lattice attack
it's only possible to find a private key of a collection of signatures in this two case
1) You know a minimum of 3-4  bits (not only the upper bit but everywhere in the 256 bits) of the k value in every signature (required around 80 signature for 4 bits to have a good probability of success).
2) you know that a there is fixed bits in every k (3 or 4 bits everywhere in the 256bits) => 252 bits of entropy

[CrunchyF]

I'm not taking about calculation privkey from collection signatures. You will not find my solutions on net. i rebuild LLL and way of rearranged  for testing one signature as part r s z for finding closest pointt as integer value.

And if someone of you do the same we can discus

Ok can you tell me what are the inegality you want to resolve?
for what i learned the HNP problem is based on the following assumption:

 α is a secret integer  (it can be the privkey, or the nonce k for R).
The attacker is assumed to be given an oracle that given a random sequence of integers ti , for i ∈ {1, . . . , m}, returns a sequence ai such that

|ti.α − ai | mod q ≤ C

ti is a partial "leaked" information knowed by the attacker. so if you don't have ti it's impossible to resolve the inegality system.

An other thing intrigues me.. if you are able to guess the upper bit of a nonce , you will be able to guess every bit of the nonce because you just have to multiply R,S,Z by a power of 2 (mod N) to shift the bits at the desired place and redo the guessing..so ECDSA will be broken. In modular arithmetic every bit of a number have exactly the same "weight" unlike classical arithmetic where the upper bits have more weight that the lower

In this paper :

https://pdfs.semanticscholar.org/f8f7/ad041226bb4d2afd504d1372feafafa7efe8.pdf
some techniques are explained to guess certain bits of a nonce
but for example you can guess the third bit of the nonce (at a certain index) only if you know the two previous bits and you need for that a minimum of 80 leaked signatures.

[COBRAS]

Lattice is a shit dont waste your time !

[dan.alex]

I'm not taking about calculation privkey from collection signatures. You will not find my solutions on net. i rebuild LLL and way of rearranged  for testing one signature as part r s z for finding closest pointt as integer value.

And if someone of you do the same we can discus

The elliptic curves points do not retain the properties of the numbers they represent in such a way that you can perform a modulo operation or check the last digit. The points on the elliptic curve are the solutions of the equation y^2 = x^3 + ax + b (over some finite field), and they don't correspond directly to integers in a way that would allow you to check if their remainder is 0. Lattice is useless unless you know either the corresponding MSB or the LSB for each specific nonce and you cannot use lattices to find them, so why would you create such delusional topic?