lattice-attack || 1-bit signatures r s z

[same2026]

I was using this git https://github.com/bitlogik/lattice-attack to generate 1-bit signatures, then run private-key not found

So, I needed to look at 1-bit signature r s z to solve private key. If anyone has 1-bit r s z shared here, I was testing to prove 1 bit can solve d

How many 1-bit r s z signatures need ? To solve d
Please share. I am a student to prove 1-bit can solve d

I need txt or JSON or any format 1-bit r s z known_bits file.

[kTimesG]

More than it can fit in your RAM.

[ertil]

One bit signature doesn't make sense, even for very small elliptic curves, for example p=79, n=67, base=(1,18). Even in that case, it is marked as a 7-bit curve (which could provide something like 6-bit security in practice, because 79 or 67 are much closer to 64 than to 128).

If you want to have one-bit values inside a signature, then you expect to have every value equal to exactly zero, or exactly one. This is what a single bit can store, nothing else. Which means, that (r=0,s=0), (r=0,s=1), (r=1,s=0), and (r=1,s=1), are all possible signatures. What do you want to get here? Private keys are in range from 1 to n-1. If n=2 in some very weak curve, then you have a generator, and a point at infinity, and absolutely nothing else.

More than it can fit in your RAM.

Well, if we assume, that a single bit is not what is stored, but what is known, which would mean 255-bit signatures, then yes, it won't fit in RAM.

[kTimesG]

One bit signature doesn't make sense

I assumed OP meant 1 bit biased nonces to solve lattice. If you force s to 1-bit .... nvm was drunk, s-value cannot be forced since r needs to equal kG.x mod n.

[vdog99]

You cant use Lattice attack for 1 Bit Nonce Bias. It is impossible

The Euclidean length of the target error vector actually surpasses the radius of the lattice's Voronoi cell limit (the Gaussian Heuristic) or in simplistic terms in the real
the vector which is ur secret key is hidden Noise. In Large Dimensions it is almost impossible amount of noise

You need to use Fourier Attack
Here is the Discussion of the Topic: https://bitcointalk.org/index.php?topic=5512838.0

[flapduck]

The confusion here is probably in the wording. There is no such thing as a useful "1-bit r s z signature" in the way you seem to mean it. r, s, and z are still full size values. What matters for the lattice attack is what you know about the nonce k, not whether the signature text file has some cute 1-bit label on it.

If you know the full nonce, one signature is enough. If you know almost all of the nonce, a few signatures can be enough. If you know several fixed MSB/LSB bits across many signatures, lattice can start becoming useful depending on the bit count and signature count. But one known bit per nonce on secp256k1 is basically asking the lattice to find a needle in a needle factory during a power cut. The error term is too large, the dimension gets ugly, and the reduction does not magically turn that into a private key.

Also, as ktimes already hinted, you cannot just force s or r into being "1 bit" and expect that to model a real ECDSA weakness. r comes from k*G, and s = k^-1(z + r*d) mod n. If you force k into a tiny range, then yes, the key falls over immediately, but that is not a lattice attack anymore, that is just "your nonce generator is drunk and should not be allowed near cryptography".

So if the tool says private key not found, that is probably the correct result. Feed it a realistic test where, say, multiple bits of each nonce are known in the way the tool expects. With one bit, you are not proving "one bit can solve d", you are mostly proving that laptops can be converted into small space heaters.