Private key recovery with 120 bit nonce leakage possible?

[stilichovandal]

Hi,

I have a hypothetical scenario where I know precisely 120 bits (out of 256) of the nonce used to create the signature for a transaction.

There is only one transaction available.


Is it possible to recover the recover the private key for this?

I assume that a lattice attack is not possible as we need more than one signature; what other possible attacks are available in this scenario?

[1715022881]

1715022881

[1715022881]

1715022881

[1715022881]

1715022881

[1715022881]

1715022881

[stanner.austin]

Hello
You can calculate with simple python
int(1.03 * 4 / 3 * 256 / 120)
Result is 2 min need.

Result is tested and can be verify with https://github.com/bitlogik/lattice-attack your self too.

Regards,

[stilichovandal]

Hello
You can calculate with simple python
int(1.03 * 4 / 3 * 256 / 120)
Result is 2 min need.

Result is tested and can be verify with https://github.com/bitlogik/lattice-attack your self too.

Regards,

Thank you. Yes, I have seen this, and based on the calculation, I need three signatures for the lattice attack.
For the lattice attack to work, I don't need to know the nonce; as long as the bits (120 in this case) are the same for three signatures, it works.

However, in my scenario, I know the 120 bits of nonce.
Eg.
If my nonce is
E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F, I know that nonce starts with E036153289470F858562CC4DAA5359?

The question is, is it possible to get a private key for this?

[jacky19790729]

Thank you. Yes, I have seen this, and based on the calculation, I need three signatures for the lattice attack.
For the lattice attack to work, I don't need to know the nonce; as long as the bits (120 in this case) are the same for three signatures, it works.

However, in my scenario, I know the 120 bits of nonce.
Eg.
If my nonce is
E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F, I know that nonce starts with E036153289470F858562CC4DAA5359?

The question is, is it possible to get a private key for this?

If you have only one signatures
I think the same difficulty as Puzzle #136 but with public key had known

[stilichovandal]

Thank you. Yes, I have seen this, and based on the calculation, I need three signatures for the lattice attack.
For the lattice attack to work, I don't need to know the nonce; as long as the bits (120 in this case) are the same for three signatures, it works.

However, in my scenario, I know the 120 bits of nonce.
Eg.
If my nonce is
E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F, I know that nonce starts with E036153289470F858562CC4DAA5359?

The question is, is it possible to get a private key for this?

If you have only one signatures
I think the same difficulty as Puzzle #136 but with public key had known

I should have been clearer. Yes, I have the signature and associated public key used to sign the message.

[cassondracoffee]

Hello
You can calculate with simple python
int(1.03 * 4 / 3 * 256 / 120)
Result is 2 min need.

Result is tested and can be verify with https://github.com/bitlogik/lattice-attack your self too.

Regards,

Thank you. Yes, I have seen this, and based on the calculation, I need three signatures for the lattice attack.
For the lattice attack to work, I don't need to know the nonce; as long as the bits (120 in this case) are the same for three signatures, it works.

However, in my scenario, I know the 120 bits of nonce.
Eg.
If my nonce is
E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F, I know that nonce starts with E036153289470F858562CC4DAA5359?

The question is, is it possible to get a private key for this?

How do you calculate E036153289470F858562CC4DAA5359 from E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F .what method you are using to calculate this value?
E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F
E036153289470F858562CC4DAA5359?

[stilichovandal]

Hello
You can calculate with simple python
int(1.03 * 4 / 3 * 256 / 120)
Result is 2 min need.

Result is tested and can be verify with https://github.com/bitlogik/lattice-attack your self too.

Regards,

Thank you. Yes, I have seen this, and based on the calculation, I need three signatures for the lattice attack.
For the lattice attack to work, I don't need to know the nonce; as long as the bits (120 in this case) are the same for three signatures, it works.

However, in my scenario, I know the 120 bits of nonce.
Eg.
If my nonce is
E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F, I know that nonce starts with E036153289470F858562CC4DAA5359?

The question is, is it possible to get a private key for this?

How do you calculate E036153289470F858562CC4DAA5359 from E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F .what method you are using to calculate this value?
E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F
E036153289470F858562CC4DAA5359?

not possible to calculate it from the x value ie r.. I have generated r myself and hence I know the actual nonce.