It is a well-known fact that knowing the nonce used in signing the ECDSA signature allows the private key to be computed easily from that signature. If I understand it correctly, this nonce is a positive integer of finite size, so there aren't that many possibilities compared to trying to brute-force the private key directly. Actually, I read that in some cases knowing only one bit of nonce is enough to find it (lattice attacks). So is it possible with a powerful computer to brute-force the nonce in sensible time to get the private key?
Asked
Active
Viewed 1,030 times
1 Answers
1
You are confusing the biased-nonce attack with brute force. The lattice attacks require a bias on the generation of the nonce to recover the key.
Brute-forcing the nonce, on the other hand, is not possible for a classical attacker if you use a 256-bit curve since $k$ is chosen from $[1,n-1]$ uniform randomly where $n$ is the order of the base point $G$.
kelalaka
- 49,797
- 12
- 123
- 211