I'm not taking about calculation privkey from collection signatures. You will not find my solutions on net. i rebuild LLL and way of rearranged for testing one signature as part r s z for finding closest pointt as integer value.
And if someone of you do the same we can discus
Ok can you tell me what are the inegality you want to resolve?
for what i learned the HNP problem is based on the following assumption:
α is a secret integer (it can be the privkey, or the nonce k for R).
The attacker is assumed to be given an oracle that given a random sequence of integers
ti , for i ∈ {1, . . . , m}, returns a sequence
ai such that
|ti.α − ai | mod q ≤ C
ti is a partial "leaked" information knowed by the attacker. so if you don't have
ti it's impossible to resolve the inegality system.
An other thing intrigues me.. if you are able to guess the upper bit of a nonce , you will be able to guess every bit of the nonce because you just have to multiply R,S,Z by a power of 2 (mod N) to shift the bits at the desired place and redo the guessing..so ECDSA will be broken. In modular arithmetic every bit of a number have exactly the same "weight" unlike classical arithmetic where the upper bits have more weight that the lower
In this paper :
https://pdfs.semanticscholar.org/f8f7/ad041226bb4d2afd504d1372feafafa7efe8.pdfsome techniques are explained to guess certain bits of a nonce
but for example you can guess the third bit of the nonce (at a certain index) only if you know the two previous bits and you need for that a minimum of 80 leaked signatures.
