Paper 2023/841

The curious case of the half-half Bitcoin ECDSA nonces

Dylan Rowe, University of California, San Diego
Joachim Breitner
Nadia Heninger, University of California, San Diego

We report on a new class of ECDSA signature vulnerability observed in the wild on the Bitcoin blockchain that results from a signature nonce generated by concatenating half of the bits of the message hash together with half of the bits of the secret signing key. We give a lattice-based attack for efficiently recovering the secret key from a single signature of this form. We then search the entire Bitcoin blockchain for such signatures, and identify and track the activities of an apparently custom ECDSA/Bitcoin implementation that has been used to empty hundreds of compromised Bitcoin addresses for many years.

Available format(s)
Attacks and cryptanalysis
Publication info
Published elsewhere. AfricaCrypt 2023
Contact author(s)
drowe @ ucsd edu
mail @ joachim-breitner de
nadiah @ cs ucsd edu
2023-06-06: approved
2023-06-06: received
See all versions
Short URL
Creative Commons Attribution


      author = {Dylan Rowe and Joachim Breitner and Nadia Heninger},
      title = {The curious case of the half-half Bitcoin ECDSA nonces},
      howpublished = {Cryptology ePrint Archive, Paper 2023/841},
      year = {2023},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.