The biggest thing Im struggling with rn is not the theoretical attack flows. It’s literally the sheer number of variables and tracking what people are supposed to have vs absolutely cannot have. Keygen reveals X^y Round 1 reveals y mod q On and on and on Ultimately you’re trying to solve for 1 parameter in a long equation. But also it could be any number of parameters bc, again, so many different parameters and combinations of parameters and being shared and you can solve equations in many many ways. Some shit happens during keygen, some during signing, and even more during aborts/blames (when signing fails at some point in the 7 fucking rounds) And on top of it, since you’re a malicious attacker, you can craft your own parameters. You can even change them over time. Which will then result in different outputs being returned. Which leaks information. All of which would allow the equation to be solved. And thus you, the attacker, being able to derive the underlying ECDSA key that shouldn’t exist. One example: