How is Bayes’ theorem calculated when multiple pieces of evidence that support or rebut a hypothesis with different strength amounts have to be considered? Here is an example scenario.

There are two jars, each filled with 20 balls. The left jar has 18 green balls and two orange balls. The right jar has five green balls and 15 orange balls. Each ball weighs about 70 grams regardless of color. Each jar sits on top of its own electronic scale. You close your eyes and are given one of the balls at random. The ball is green, but the right jar’s scale reading is 70 grams lighter than what it previously was. How would this be computed? Primal Groudon (talk) 21:38, 16 April 2025 (UTC)[reply]

We use the following notations for various events:

${\displaystyle L}$: the ball was drawn from the left jar.

${\displaystyle G}$: the ball is green.

${\displaystyle W}$: the right jar is lighter than before.

(These each have complementary events, which if they need to be denoted can be done by using an overbar; for example, ${\displaystyle {\overline {G}}}$ would mean: the ball is orange. Then ${\displaystyle P(G\cap {\overline {G}})=0}$ and ${\displaystyle P(G\cup {\overline {G}})=1.}$)

In the set up, we know by prior real-world knowledge that jars do not get spontaneously lighter, so ${\displaystyle P(L\cap W)=0.}$

If we try to apply Bayes' theorem we do not directly get anywhere. Ii is easier to go back to basics, the definition of conditional probability:

${\displaystyle P(A|B)={\frac {P(A\cap B)}{P(B)}},{\text{ provided that }}P(B)>0.}$

The role of ${\displaystyle A}$ – the event whose likelihood is to be determined – is taken by ${\displaystyle L,}$ while ${\displaystyle B}$ – the observed event – is ${\displaystyle G\cap W.}$ Then we get:

${\displaystyle P(L|G\cap W)={\frac {P(L\cap G\cap W)}{P(G\cap W)}}.}$

We know that ${\displaystyle P(L\cap W)=0.}$ Thus, a fortiory, ${\displaystyle P(L\cap G\cap W)=0,}$ and so ${\displaystyle P(L|G\cap W)=0.}$

The problem in applying Bayes' theorem is that it uses the conditional probability with the events swapped, ${\displaystyle P(G\cap W|L),}$ which is not directly available. It can likewise be determined by applying the basic definition of conditional probability; however, this route is an unnecessary detour.  ​‑‑Lambiam 22:51, 16 April 2025 (UTC)[reply]

There’re a lot of papers on how to recover a private key from a nonce leakage in a ᴇᴄᴅꜱᴀ signature. But the less bits are known the more signatures are required.

Now if I don’t know anything about private key, how much higher order or lower order bits leakage are required at minimum in order to recover a private key from a single signature ? I’m interested in secp256k1. 2A01:E0A:ACF:90B0:0:0:A03F:E788 (talk) 22:37, 16 April 2025 (UTC)[reply]

According to the abstract of this paper, the answer is: 12 bits.  ​‑‑Lambiam 23:09, 16 April 2025 (UTC)[reply]

The question is how to do it in pratice ? The paper seems only theoritical and do not seems to speak on how to implement it. This might means for actually doing it that the number of bits is larger. 37.171.242.50 (talk) 10:17, 17 April 2025 (UTC)[reply]

If you have the capability of mounting side-channel attacks to give you 12 bits, surely you are also able to use their method of attack, which they qualify as being "very practical", to obtain the coveted secret key.  ​‑‑Lambiam 13:56, 17 April 2025 (UTC)[reply]

I just temporarirly uploaded it to https://jumpshare.com/s/236VsVoUccTfoWhSv9go. It seems to require several signatures and not just 1. 78.246.6.147 (talk) 15:08, 17 April 2025 (UTC)[reply]