|
|
|
|
|
|
by dilippkumar
1525 days ago
|
|
|
> If an attacker can ever guess a single bit of the nonce with probability non-negligibly >50%, they can find the private key of whoever signed the message(s). This doesn’t seem right. Why wouldn’t someone guess a bit 0, see if the recovered message makes sense, and if it doesn’t, then try bit 1? It would make the entire scheme useless no? Am I missing something? |
|
|