# biased ECDSA nonces enable lattice-based private key recovery with as few as two or three signatures Nonce reuse is the catastrophic case, but partial information suffices. The "Biased Nonce Sense" paper (ePrint 2019/023) formalized that any statistical bias transforms private key recovery into the Hidden Number Problem (HNP), solvable by lattice reduction (BKZ). Results: - **2 signatures** with 128-bit nonces: 75% key recovery probability - **3 signatures** with 170-bit nonces: 95% key recovery probability - **Affinely related nonces** (`k_m = a*k_n + b`): algebraic recovery from two signatures, no lattice needed - **LadderLeak**: cache timing extracts as little as 1 bit of nonce bias per signature; enough signatures suffice - **Half-Half attack** (Kudelski 2025): single signature gives 99.99% recovery in 0.48 seconds Smart contract relevance: hardware RNGs on embedded signing devices may have subtle biases, side-channel attacks extract partial nonce information, and TRNG failures under load introduce systematic bias. Since [[ECDSA nonce reuse directly reveals the private key because two signatures sharing the same r value expose k algebraically]], exact reuse is worst-case, but any deviation from perfect randomness is exploitable. The defense: [[RFC 6979 deterministic nonce generation eliminates ECDSA private key leakage from randomness failures by deriving nonces from message and private key]] eliminates both reuse and bias. --- Relevant Notes: - [[ECDSA nonce reuse directly reveals the private key because two signatures sharing the same r value expose k algebraically]]: the baseline nonce vulnerability; biased nonces generalize this attack - [[RFC 6979 deterministic nonce generation eliminates ECDSA private key leakage from randomness failures by deriving nonces from message and private key]]: the unified defense for all nonce-based ECDSA attacks Topics: - [[vulnerability-patterns]]