Breaking ECDSA with Two Affinely Related Nonces

Jamie Gilchrist; William J Buchanan; Keir Finlow-Bates

Paper 2025/705

Breaking ECDSA with Two Affinely Related Nonces

Jamie Gilchrist

, Edinburgh Napier University

William J Buchanan

, Edinburgh Napier University

Keir Finlow-Bates

Abstract

The security of the Elliptic Curve Digital Signature Algorithm (ECDSA) depends on the uniqueness and secrecy of the nonce, which is used in each signature. While it is well understood that nonce $k$ reuse across two distinct messages can leak the private key, we show that even if a distinct value is used for $k_{2}$ , where an affine relationship exists in the form of: , we can also recover the private key. Our method requires only two signatures (even over the same message) and relies purely on algebra, with no need for lattice reduction or brute-force search(if the relationship, or offset, is known). To our knowledge, this is the first closed-form derivation of the ECDSA private key from only two signatures over the same message, under a known affine relationship between nonces.

Metadata

Available format(s): PDF
Category: Attacks and cryptanalysis
Publication info: Preprint.
Keywords: ECDSA nonce reuse affinely related nonce
Contact author(s): b buchanan @ napier ac uk
History: 2025-04-18: approved; 2025-04-18: received; See all versions
Short URL: https://ia.cr/2025/705
License: CC BY

BibTeX

@misc{cryptoeprint:2025/705,
      author = {Jamie Gilchrist and William J Buchanan and Keir Finlow-Bates},
      title = {Breaking {ECDSA} with Two Affinely Related Nonces},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/705},
      year = {2025},
      url = {https://eprint.iacr.org/2025/705}
}