Rating:
tldr;
- standard ECDSA with secure curve (prime order 512 bits), we get two messages and signatures from Bob to Alice
- nonce generation is weak and has only 128 bits of entropy
- use lattice techniques to recover Bob's private key
- Alice's public key can be recovered from signatures she's made
[writeup](https://jsur.in/posts/2021-07-19-google-ctf-2021-crypto-writeups#h1)
