LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What happens if the random nonce k in ECDSA is reused or predictable?

If k is reused for two different messages, the private key can be trivially recovered from the two signatures — this is a catastrophic implementation failure.

Nonce-reuse attack flow: two signatures sharing r imply the same k, letting the attacker solve for k and then the private key d

* Two signatures with the same $r$ betray a repeated $k$; subtracting their $s$ equations yields $k$, and then the private key $d$ falls out algebraically. *

The math: Given two signatures $(r, s_1)$ and $(r, s_2)$ for messages $m_1$ and $m_2$ with the same $k$:

  • Both have the same $r$ (since $R = k \cdot G$ is the same)
  • $s_1 = k^{-1}(h_1 + r \cdot d)$ and $s_2 = k^{-1}(h_2 + r \cdot d)$
  • Subtracting: $s_1 - s_2 = k^{-1}(h_1 - h_2)$
  • Therefore: $k = (h_1 - h_2)(s_1 - s_2)^{-1} \mod n$
  • Once $k$ is known: $d = r^{-1}(k \cdot s_1 - h_1) \mod n$ → private key recovered!

Real-world incident — Sony PS3 (2010):

  • Sony used ECDSA to sign PS3 firmware
  • They used a fixed value of k (not even reused — literally constant!)
  • Hackers (fail0verflow) noticed all signatures had the same $r$
  • Extracted Sony's private signing key → could sign custom firmware
  • Led to PS3 jailbreaking

Lesson: The random nonce $k$ must be truly random and unique for every signature. Modern implementations use deterministic $k$ generation (RFC 6979) — deriving $k$ from the message and private key via HMAC, ensuring uniqueness without relying on the RNG.

Go deeper:

From Quiz: KRYPTOG / Elliptic Curve Cryptography | Updated: Jul 14, 2026