Lattice-attack || If Know 4bit nonce to predict MSB or LSB

[same2026]

Lattice-attack || If Know 4bit nonce to predict 'd' MSB 4bit  or LSB 4bit    <reverse> If Know 4bit 'd' to predict nonce MSB 4bit or LSB 4bit

private  =  0x2966130c44669056359323ed640f0d9458a0f82fe0328bdc8ee72599c3602dae
pub       =  private*G
nonce    =  0x1f18f5c6507511b559fb5e6d58b8af0fac075b922acab1acf3ca415de73a6282
message=  0x9765f3ff01c9a476a71d8ae8b452a876e0784a76526f46da7b2de5984f4bf851
r,s,z       = sign(private,nonce,message)

r   = 0xd57a46d3672b3d428a5d8ccb91ced3400959127f76f15a7d99a1002e690dec20
s   = 0x95e836298458e00a6f11e291cd7e45003b3ffd886a0048d52f9665a6a5603ad6
z   = 0x9765f3ff01c9a476a71d8ae8b452a876e0784a76526f46da7b2de5984f4bf851

pub= 0x30c7d40d49e6e639ef0a33229420fde736712073c1230513297a637207c54490 0x3331b0b1ef655e237bcc2e6f6664b6f1567a0696c6e7aad4b1d15507ef4f27e5

Only one signature 4-bit use to MSB or LSB accurate guess.
MY ENGLISH LITTLE SPEAK

I PAY $1000

Use this code formula to change or modify to achieve this goal.

Code:

if bits_type == "LSB":
        for i in range(num_sigs):
            lattice[i, i] = 2 * kbi * n_order
            if hash_val is None:
                hash_i = sigs[i]["hash"]
            lattice[num_sigs, i] = (
                2
                * kbi
                * (
                    inv(kbi, n_order)
                    * (sigs[i]["r"] * inv(sigs[i]["s"], n_order))
                    % n_order
                )
            )
            lattice[num_sigs + 1, i] = (
                2
                * kbi
                * (
                    inv(kbi, n_order)
                    * (sigs[i]["kp"] - hash_i * inv(sigs[i]["s"], n_order))
                    % n_order
                )
                + n_order
            )
    else:
        # MSB
        for i in range(num_sigs):
            lattice[i, i] = 2 * kbi * n_order
            if hash_val is None:
                hash_i = sigs[i]["hash"]
            lattice[num_sigs, i] = (
                2 * kbi * ((sigs[i]["r"] * inv(sigs[i]["s"], n_order)) % n_order)
            )
            lattice[num_sigs + 1, i] = (
                2
                * kbi
                * (
                    sigs[i]["kp"] * (curve_card // kbi)
                    - hash_i * inv(sigs[i]["s"], n_order)
                )
                + n_order
            )
    lattice[num_sigs, num_sigs] = 1
    lattice[num_sigs + 1, num_sigs + 1] = n_order
    return lattice

Is anyone already trying this?

Puzzle 135: I have the vulnerable signatures 30 MSB or LSB 4 bits I know, but 4 bits need 87 signatures, so my 30 signatures used to predict every balance signature: 4bit MSB or LSB.

My goal is also only one signature 4-bit use to MSB or LSB accurate guess.

[same2026]

private  =  0x2966130c44669056359323ed640f0d9458a0f82fe0328bdc8ee72599c3602dae We can get LSB or MSB useing 128-bit nonce?
pub       =  private*G
nonce    =  0x1f18f5c6507511b559fb5e6d58b8af0fac075b922acab1acf3ca415de73a6282   I know 128 bit LSB in Nonce
message=  0x9765f3ff01c9a476a71d8ae8b452a876e0784a76526f46da7b2de5984f4bf851


If Know nonce 128-bit LSB ,so we can get private key MSB 128-bit or LSB 128-bit ? useing only one signature ?

any one help please
any math formula ?

[vdog99]

Mathematically Impossible for Hidden Number Problem

you need 2 or more signatures if you know the 128 Bit of the Biased Nonce.

There may  or may not be clever algorithms to brute-force this for the first 128 Bits

[BattleDog]

You are mixing a few different attacks into one soup here, and the soup is starting to look radioactive, lol.

For ECDSA you have s*k = z + r*d mod n. If you know the full k, the private key falls out instantly. If you only know 4 bits of k, you know basically nothing useful. You have 252 bits of fog left. That is not a lattice attack, that is asking the universe to autocomplete your homework.

With 128 known bits it becomes more interesting, but still not "one signature and done" in the lattice sense. Lattice/HNP works because you collect many signatures from the same private key, each leaking a little bit about its nonce, then the repeated structure gives the lattice something to grab onto. One signature gives you one modular equation with two secrets dancing around in it. No grip.

There is one caveat: with the public key and signature you can treat it like a partial discrete log problem against the nonce point, because r is the x-coordinate of kG. If you know half the nonce, then you reduced the search space a lot, and Pollard kangaroo / interval DLP style attacks become the right conversation. But that is not "predict MSB/LSB from 4 bits", and it is still not a cute Python loop unless your electricity is free and your calendar ends in the next century. 

So for your $100 formula: if you have full nonce, use d = (s*k - z) * inverse(r, n) mod n. If you have only 4 bits, no formula saves you. If you have 128 bits from several signatures, then build the HNP lattice properly. If you have only one signature and only 4 known bits, go make coffee instead. It will produce better entropy.