Can anyone explain in a more simple way how to run this lattice attack? Thanks
Yes if you want i can try to resume the lattice attack in a simple way but i have to know what sort of leakage in the nonce of the signature are you attempt in the signatures you want to attack?
-a small nonce for ex a nonce between 1 to 2^128 instead of 1 to 2^256 like this :
000000000000000000000000000000003fc87113fa3119661528d1ead67fd97c
00000000000000000000000000000000c9b514fe70e73b4762e893ad7fa927b9
00000000000000000000000000000000bccd31a9026c3b39220ab2d185b40800
0000000000000000000000000000000075c73909c9d056ec09c5394ebd043364
00000000000000000000000000000000a86b35d428b45d48be1b4995c8c8b4ad
00000000000000000000000000000000b08ad648ce95649a0d893e7d7b596503
...
-a leakage in the MSB or LSB of signatures (for ex you know the first 8 bits of the nonce value)
8798269c708d7cdcf5c8d81a3e6e5f8770dbfaebfd0130e70bd4cf1ecf8adbd1
08a31e897638a5bf4c3adc3daaaf3d8f1241b30ac46fea3e0f154547b01380df
51bf53e79da24d83649ff8396cfb81b6c02d4c6a65776d40217c7b8b66cf6000
d279f11b49061bc8c804ceea19327956beaaf16b84383a10df39db88e457f993
44159fa36129f20e644542b83c8bd8b5eb22a1bd78bdc2787c0de106b20962c5
be46afb29211a3a68149533eaaecd2b817d7fe3584085fbe329ac8751bffe703
it assumes that you know the bold value before performing the attack
-a weak generation of nonce with fixed bits for ex the 16th bytes of the nonce have always the value "FD" (you don't have to know what value but only that the bits at a fixed position are always the same).
f62a05c0e4fab585df2a0e020e87b62
fdbfc6112306de89c2e692ac22c34a412
c357830e65c5a66c63152c51911e0a3
fdbd4dd208d990a661b3fc0efa951c208
884299a0e2f15bb800ac4139bb4892a
fd22a141456d399d0c2ed8250e2683036
3cd1ab221edf28805abef9b0a44d05c
fdc1d3d43896d062d96ae5a65499d092c
5fe0366612732cada1caac8e2d71277
fd94f2abd74e0fa0042786c30695a756d
6c79fe6d34c51e311c356fec4a290d7
fd7fe27c9f776c172a965a9b8e7f0f9da
with a little trick this last attack can be really powerful because you don't have to know where the fixed bits are