 |
March 06, 2026, 03:42:06 AM |
|
Hello,
I would like to present an interesting ECDSA signature scenario involving what appears to be nonce reuse across different private keys.
Problem setup
Private keys:
d1, d2, d3, d4, d5, d6, d7
Nonces:
k1, k2, k3
Total: 9 signatures
Signature structure
• d1 signs three times, using the nonces k1, k2, k3 (or possibly their opposites -k1, -k2, -k3).
• Nonce k1 (or -k1) is used by: d1, d2, d3
• Nonce k2 (or -k2) is used by: d1, d4, d5
• Nonce k3 (or -k3) is used by: d1, d6, d7
So we clearly have nonce reuse between different private keys, with d1 acting as a pivot, since it signs once with each of the three nonces.
It also appears that RFC 6979 was not used, otherwise each signature would have a deterministic unique nonce.
ECDSA equation
s = k⁻¹ (z + r·d) mod n
which can be rewritten as:
k·s = z + r·d (mod n)
In this setup we therefore have:
9 equations for 10 unknowns
Unknowns:
Private keys:
d1, d2, d3, d4, d5, d6, d7
Nonces:
k1, k2, k3
Question
Even though the system appears underdetermined (9 equations for 10 unknowns), the particular structure — with nonce reuse across multiple keys and d1 acting as a pivot connecting the three groups — might allow some reduction of the system.
Is there any known method to solve this kind of system?
Thanks in advance for any insights.
|
