Re: Reused R values

@NotATether
could you clarify your calculation? is there a fault in calculation?
when r1=r2 and s1=s2 : it should be for k from your formula:

Quote

H here represents the message hash.

the nonce k = (s2 - h2 + s1h1)(s1 - r1)^-1 mod n

k = s₂*s₁^-1 -h₂*s₁ ^-1+h₁ - s₂*r₁^-1+h₂*r₁^-1-s₁*h₁*r₁^-1

then:
k= 1 -h₂*s₁ ^-1+h₁ - s₂*r₁^-1+h₂*r₁^-1-s₁*h₁*r₁^-1

not as you mentioned :

Quote

Which is just s2h1-h2s1 - s2r1^-1 +h2r1^-1+s1h1r1^-1.

Quote from: NotATether on March 24, 2021, 04:41:13 AM

It is quite definitely possible to retrieve the private key because reusig R implies you reused the secret nonce K, and reusing S just makes the calculation easier.

By plugging in numbers in this post, and using the fact that r1 = r2, s1 = s2, you get:

H here represents the message hash.

the nonce k = (s2 - h2 + s1h1)(s1 - r1)^-1 mod n

= (s2-h2+s1h1)s1^-1 - (s2-h2+s1h1)r1^-1

Which is just s2h1-h2s1 - s2r1^-1 +h2r1^-1+s1h1r1^-1.

Now that we have k, which is required to get the private key, we can change variables of the ECDSA equation s = k^-1(h₁ + r₁ d_A) to dA the private key (we don't have to use (h1,r1,s1); you can also use (h2,r2,s2) if you want).

dA the private key = (s1*k-h1)r1^-1 OR (s2*k-h2)r2^-1.