Paper 2025/705

Breaking ECDSA with Two Affinely Related Nonces

Jamie Gilchrist, Edinburgh Napier University
William J Buchanan, Edinburgh Napier University
Keir Finlow-Bates
Abstract

The security of the Elliptic Curve Digital Signature Algorithm (ECDSA) depends on the uniqueness and secrecy of the nonce, which is used in each signature. While it is well understood that nonce $k$ reuse across two distinct messages can leak the private key, we show that even if a distinct value is used for $k_2$, where an affine relationship exists in the form of: \(k_m = a \cdot k_n + b\), we can also recover the private key. Our method requires only two signatures (even over the same message) and relies purely on algebra, with no need for lattice reduction or brute-force search(if the relationship, or offset, is known). To our knowledge, this is the first closed-form derivation of the ECDSA private key from only two signatures over the same message, under a known affine relationship between nonces.

Metadata
Available format(s)
PDF
Category
Attacks and cryptanalysis
Publication info
Preprint.
Keywords
ECDSAnonce reuseaffinely related nonce
Contact author(s)
b buchanan @ napier ac uk
History
2025-04-18: approved
2025-04-18: received
See all versions
Short URL
https://ia.cr/2025/705
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2025/705,
      author = {Jamie Gilchrist and William J Buchanan and Keir Finlow-Bates},
      title = {Breaking {ECDSA} with Two Affinely Related Nonces},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/705},
      year = {2025},
      url = {https://eprint.iacr.org/2025/705}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.