Here’s a realistic theoretical case involving valid ECDSA signatures over the secp256k1 curve, and RFC6979 was not used (nonces were random).
Context:
• There are 7 private keys: d₁ through d₇
• 3 nonces (k₁, k₂, k₃) are reused across several keys (can also be their negative: -k)
• A total of 9 valid ECDSA signatures are available in the form (r, s, z)
Nonce Usage:
• d₁ signed using k₁, k₂, k₃ (or -k₁, -k₂, -k₃)
• d₂ and d₃ signed using k₁ (or -k₁)
• d₄ and d₅ used k₂ (or -k₂)
• d₆ and d₇ used k₃ (or -k₃)
We do not know any private key or nonce in advance.
My question is:
Is this system of 9 ECDSA equations in 10 unknowns guaranteed to be solvable with mathematical certainty?
Considering that d₁ links all three nonce-sharing groups, acting as a bridge across the system?
Here’s a simplified example using small, fictitious numbers, not real secp256k1 values, just to illustrate how the equations link together.
All calculations are modulo a small fake order n = 101 for clarity.
Sample Signatures (toy values):
• Sig 1 (d₁, k₁): (r=17, s=64, z=35)
• Sig 2 (d₁, k₂): (r=22, s=15, z=40)
• Sig 3 (d₁, k₃): (r=30, s=45, z=50)
• Sig 4 (d₂, k₁): (r=17, s=72, z=20)
• Sig 5 (d₃, k₁): (r=17, s=33, z=55)
• Sig 6 (d₄, k₂): (r=22, s=12, z=30)
• Sig 7 (d₅, k₂): (r=22, s=90, z=70)
• Sig 8 (d₆, k₃): (r=30, s=22, z=25)
• Sig 9 (d₇, k₃): (r=30, s=18, z=90)
Unknowns:
• Private keys: d₁ to d₇
• Nonces: k₁ to k₃
Thanks
you can easy solve the puzzle
if you do have
r value same that it has been repeated on 2 output transaction
and if you can extract r, s1, s2, z1, z2 you can get the privat key
with a simple math on python
If the same
r is used in two different transactions signed by the same private key
s1 = (z1 + r*d) / k mod n
s2 = (z2 + r*d) / k mod n
you can isolate k and solve for d (the private key)
k = (z1 - z2) / (s1 - s2) mod n
d = ((s1 * k - z1) / r) mod n
There are also tools that you can use to see if your address has reused r value
https://github.com/CryptoApex23/reused_r_scanner
