It is quite definitely possible to retrieve the private key because reusig R implies you reused the secret nonce K, and reusing S just makes the calculation easier.
By plugging in numbers in
this post, and using the fact that r1 = r2, s1 = s2, you get:
H here represents the message hash.
the nonce k = (s2 - h2 + s1h1)(s1 - r1)
-1 mod n
= (s2-h2+s1h1)s1
-1 - (s2-h2+s1h1)r1
-1Which is just s2h1-h2s1 - s2r1
-1 +h2r1
-1+s1h1r1
-1.
I am no mathematician, but I cannot see from the above how k can be calculated with the same values for s. s1 and s2 are even being used in the example.
Nor can I get k = (s2 - h2 + s1h1)(s1 - r1)
-1 mod n to produce the correct output even with different s values. Perhaps I am not forming the code correctly?
this python code works but you need 2 different values for s.
k = modinv(s, N) * (z1 + r * (z1*s2 - z2*s1) * modinv((r*(s1-s2)), N)) % N .
What am I missing? Is it possible to calculate k correctly with identical s values? Thanks