**Approach summary (high level)** Use the leaked 1 bit per nonce to convert ECDSA signatures into approximate linear equations in the private key d and unknown small integers. Collect many such equations and solve the Hidden Number Problem with a lattice (LLL / Babai) to recover d.**Math / derivation** From ECDSA signature (r, s) on message with hash h and group order q:text
s * k ≡ h + r * d (mod q)
Solve for k:text
k ≡ s^{-1} * (h + r * d) (mod q)
If the oracle gives b = k mod 2, write k = 2 t + b for integer t. Substitute:text
2 t + b ≡ s^{-1} * (h + r * d) (mod q)
Rearrange to linear form:text
r' * d - 2 t ≡ c (mod q) where r' = s^{-1} r, c = s^{-1} h - b (all modulo q)
Lift to integers by choosing representative in [ -q/2, q/2 ] to get:text
| r' * d - 2 t - c | < q/2
Unknowns are integer d (same for all eqns) and small t_i. This is an instance of the Hidden Number Problem / closest vector problem and can be attacked by building a lattice whose short vector encodes d.**Attack steps**- Collect m signatures with leaked bits b_i, compute r'_i and c_i.- Build lattice with rows encoding 2 and r'_i scaled by a factor B (to balance sizes) and target vector of c_i.- Apply LLL to find small integer solution vector; use Babai rounding to recover candidate d.- Verify d by checking a public key.**Sample complexity (estimate)** Required m is proportional to bit-length of q. In practice for single-bit leaks, experiments and literature indicate m ≈ 1–3 × n where n = bit-length(q). For a 256-bit q, expect O(300–800) signatures. Exact number depends on lattice conditioning and scaling choices.**Practical obstacles**- Lattice attacks rely on good scaling and sufficient equations; LLL may fail if m too small or noise (wrong bit) exists.- Modular reductions and wrap-around require careful lifting to integers.- Real-world noise: oracle errors, rate-limited signing, or non-uniform nonce selection degrade success.- Computational cost: lattice dimension equals m+1; large m increases runtime and LLL may be slow.**Countermeasures**- Use deterministic nonces (RFC6979) or strong CSPRNG so no leakage.- Blinding: randomize k or use multiplicative/additive blinding per-signature.- Ensure constant-time implementations to avoid side-channels leaking nonce bits.- Use signature schemes with provable nonce reuse protections or adopt EdDSA style deterministic constructions.This attack is well-studied (Bleichenbacher / Boneh-Venkatesan / Nguyen-Shparlinski styles) and demonstrates that even 1 bit of per-signature leakage suffices to recover the private key with a lattice-based Hidden Number Problem solver given enough samples.