Hello everyone,
I'm still working on solving a puzzle posted at
https://bitcointalk.org/index.php?topic=5535021.0Today, I'm focusing on a specific key that might help trivialize solving half of the puzzle.
This key's corresponding address is currently empty, and I've managed to collect a total of 5 valid ECDSA signatures related to it.
Here's the analysis — I'm particularly looking into whether the signatures reveal enough bias to attempt a lattice (LLL) attack using only 5 samples.
=== Fine-Grained Analysis of S Distribution ===
S in [1, n/4]: 4/5 → 80.00%
S in [1, n/8]: 3/5 → 60.00%
S in [1, n/16]: 1/5 → 20.00%
S in [1, n/32]: 1/5 → 20.00%
S in [1, n/64]: 0/5 → 0.00%
S in [1, n/128]: 0/5 → 0.00%
Result:
MAX BIAS: 4/5 signatures (80.00%) in [1, n/4]
→ Strong bias detected, likely due to a biased nonce k.
=== Exhaustive Bit Analysis of S ===
Total signatures: 5
Number of fixed bits (always 0 or 1): 16
Fixed bits:
Bit 4: always 0
Bit 8: always 1
Bit 49: always 0
Bit 50: always 0
Bit 55: always 1
Bit 69: always 0
Bit 77: always 1
Bit 93: always 0
Bit 102: always 1
Bit 103: always 1
Bit 116: always 0
Bit 146: always 0
Bit 180: always 0
Bit 183: always 0
Bit 202: always 0
Bit 255: always 0
Max block of consecutive fixed bits: 2 bits (starting at bit 49)
Low 8 bits of S: ['0x6e', '0x2a', '0x29', '0xe4', '0xcc']
Result:
MAX BIAS: 16 fixed bits; max block = 2 bits
→ Strong bias detected, possibly due to structural patterns in k
Can such a bias with only 5 signatures be sufficient to attempt an LLL attack?
Any thoughts or experiences would be greatly appreciated.
Thanks in advance!
